search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

Vulnerability Note VU#852879

Original Release Date: 2014-12-19 | Last Revised: 2015-10-27

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.

CWE-290: Authentication Bypass by Spoofing - CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754: Improper Check for Unusual or Exceptional Conditions - CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121: Stack Buffer Overflow - CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

The vulnerabilities listed below can be significantly mitigated by following the BCP of putting

restrict default ...
noquery

in the ntp.conf file.  With the exception of:

  receive(): missing return on error
  References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a 'query'-class packet by your ntp.conf file.


Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879
 
Affected   Unknown   Unaffected

Apple

Notified:  December 18, 2014 Updated:  December 23, 2014

Status

  Affected

Vendor Statement

From the Apple support advisory:

"OS X NTP Security Update - ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

    • Mountain Lion: ntp-77.1.1
    • Mavericks: ntp-88.1.1
    • Yosemite: ntp-92.5.1
CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cisco Systems, Inc.

Notified:  December 18, 2014 Updated:  January 13, 2015

Statement Date:   January 13, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

Vendor References

EfficientIP

Updated:  December 24, 2014

Statement Date:   December 24, 2014

Status

  Affected

Vendor Statement

"All versions are affected by CWE-389 (CVE-2014-9296). 

Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d.

Available releases can be downloaded at: http://www.efficientip.com/support-services/
"

Vendor Information

CVE-2014-9296 covers this vulnerability for ntpd.

Vendor References

F5 Networks, Inc.

Notified:  December 18, 2014 Updated:  January 13, 2015

Statement Date:   January 13, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

F5 has released a security advisory for its products at the URL: https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

Vendor References

FreeBSD Project

Notified:  December 18, 2014 Updated:  April 10, 2015

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

"All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and
10.1) include vulnerable versions of ntpd.
"

Vendor Information

FreeBSD has released advisories with patches; please see the Advisory URLs below.

Vendor References

Huawei Technologies

Updated:  December 23, 2014

Statement Date:   December 23, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-009.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NTP Project

Notified:  December 03, 2014 Updated:  December 22, 2014

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see the vendor Security Notice at the URL below.

Vendor References

OmniTI

Notified:  December 20, 2014 Updated:  December 22, 2014

Statement Date:   December 20, 2014

Status

  Affected

Vendor Statement

"Affected, but Update now available"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  December 18, 2014 Updated:  December 30, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Vendor References

Watchguard Technologies, Inc.

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.

Our wireless access points are not vulnerable since they only use the basic ntpclient.

However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc.

Notified:  December 18, 2014 Updated:  March 05, 2015

Statement Date:   March 05, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  December 18, 2014 Updated:  December 24, 2014

Statement Date:   December 24, 2014

Status

  Not Affected

Vendor Statement

"Fortigate products are not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

"OpenBSD does not use ntp.org code."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  December 18, 2014 Updated:  December 21, 2014

Statement Date:   December 20, 2014

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected.  We use OpenNTPD."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

"m0n0wall does not include ntpd and is therefore not affected.".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  December 18, 2014 Updated:  December 18, 2014

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  December 18, 2014 Updated:  December 18, 2014

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Arch Linux

        Notified:  December 19, 2014 Updated:  December 19, 2014

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Avaya, Inc.

          Notified:  December 18, 2014 Updated:  December 18, 2014

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Barracuda Networks

            Notified:  December 18, 2014 Updated:  December 18, 2014

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Blue Coat Systems

              Notified:  December 18, 2014 Updated:  December 18, 2014

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                CA Technologies

                Notified:  December 18, 2014 Updated:  December 18, 2014

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  CentOS

                  Notified:  December 18, 2014 Updated:  December 18, 2014

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Check Point Software Technologies

                    Notified:  December 18, 2014 Updated:  December 18, 2014

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Cray Inc.

                      Notified:  December 18, 2014 Updated:  December 18, 2014

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        D-Link Systems, Inc.

                        Notified:  December 18, 2014 Updated:  December 18, 2014

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Debian GNU/Linux

                          Notified:  December 18, 2014 Updated:  December 18, 2014

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            DragonFly BSD Project

                            Notified:  December 18, 2014 Updated:  December 18, 2014

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              EMC Corporation

                              Notified:  December 18, 2014 Updated:  December 18, 2014

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Engarde Secure Linux

                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Enterasys Networks

                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Ericsson

                                    Notified:  December 18, 2014 Updated:  December 18, 2014

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Extreme Networks

                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Fedora Project

                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Force10 Networks, Inc.

                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Foundry Networks, Inc.

                                            Notified:  December 19, 2014 Updated:  December 19, 2014

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Fujitsu

                                              Notified:  December 18, 2014 Updated:  December 18, 2014

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Gentoo Linux

                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Global Technology Associates, Inc.

                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Google

                                                    Notified:  December 18, 2014 Updated:  December 18, 2014

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Hewlett-Packard Company

                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Hitachi

                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          IBM Corporation

                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            IBM Corporation (zseries)

                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              IBM eServer

                                                              Notified:  December 18, 2014 Updated:  December 18, 2014

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Infoblox

                                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Intel Corporation

                                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Intoto

                                                                    Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Juniper Networks, Inc.

                                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Mandriva S. A.

                                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          McAfee

                                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Microsemi

                                                                            Notified:  December 23, 2014 Updated:  December 23, 2014

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor Information

                                                                            We are not aware of further vendor information regarding this vulnerability.

                                                                            Microsoft Corporation

                                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              MontaVista Software, Inc.

                                                                              Notified:  December 19, 2014 Updated:  December 19, 2014

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                NEC Corporation

                                                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  NetBSD

                                                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Nokia

                                                                                    Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      Novell, Inc.

                                                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Oracle Corporation

                                                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Palo Alto Networks

                                                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Peplink

                                                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Process Software

                                                                                              Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                Q1 Labs

                                                                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  QNX Software Systems Inc.

                                                                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Quagga

                                                                                                    Notified:  December 19, 2014 Updated:  December 19, 2014

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      SUSE Linux

                                                                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        SafeNet

                                                                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Slackware Linux Inc.

                                                                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            SmoothWall

                                                                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Snort

                                                                                                              Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                Sony Corporation

                                                                                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Sourcefire

                                                                                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Stonesoft

                                                                                                                    Notified:  December 19, 2014 Updated:  December 19, 2014

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Symantec

                                                                                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        The SCO Group

                                                                                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          TippingPoint Technologies Inc.

                                                                                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Turbolinux

                                                                                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Ubuntu

                                                                                                                              Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Unisys

                                                                                                                                Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  VMware

                                                                                                                                  Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Vyatta

                                                                                                                                    Notified:  December 19, 2014 Updated:  December 19, 2014

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Wind River Systems, Inc.

                                                                                                                                      Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        ZyXEL

                                                                                                                                        Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          eSoft, Inc.

                                                                                                                                          Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            netfilter

                                                                                                                                            Notified:  December 18, 2014 Updated:  December 18, 2014

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              View all 87 vendors View less vendors


                                                                                                                                              CVSS Metrics

                                                                                                                                              Group Score Vector
                                                                                                                                              Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
                                                                                                                                              Temporal 5.9 E:POC/RL:OF/RC:C
                                                                                                                                              Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                              References

                                                                                                                                              Acknowledgements

                                                                                                                                              The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

                                                                                                                                              This document was written by Garret Wassermann.

                                                                                                                                              Other Information

                                                                                                                                              CVE IDs: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
                                                                                                                                              Date Public: 2014-12-19
                                                                                                                                              Date First Published: 2014-12-19
                                                                                                                                              Date Last Updated: 2015-10-27 02:22 UTC
                                                                                                                                              Document Revision: 123

                                                                                                                                              Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.