The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.
The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.
CWE-290: Authentication Bypass by Spoofing - CVE-2014-9298
The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.
Apply an update
Restrict status queries
The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.