search menu icon-carat-right cmu-wordmark

CERT Coordination Center


NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

Vulnerability Note VU#852879

Original Release Date: 2014-12-19 | Last Revised: 2015-10-27

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.

CWE-290: Authentication Bypass by Spoofing - CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754: Improper Check for Unusual or Exceptional Conditions - CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121: Stack Buffer Overflow - CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

The vulnerabilities listed below can be significantly mitigated by following the BCP of putting

restrict default ...
noquery

in the ntp.conf file.  With the exception of:

  receive(): missing return on error
  References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a 'query'-class packet by your ntp.conf file.


Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879
Expand all

Apple

Notified:  December 18, 2014 Updated:  December 23, 2014

Status

  Affected

Vendor Statement

From the Apple support advisory:

"OS X NTP Security Update - ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

    • Mountain Lion: ntp-77.1.1
    • Mavericks: ntp-88.1.1
    • Yosemite: ntp-92.5.1
CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.apple.com/en-us/HT6601

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  December 18, 2014 Updated:  January 13, 2015

Statement Date:   January 13, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EfficientIP

Updated:  December 24, 2014

Statement Date:   December 24, 2014

Status

  Affected

Vendor Statement

"All versions are affected by CWE-389 (CVE-2014-9296). 

Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d.

Available releases can be downloaded at: http://www.efficientip.com/support-services/
"

Vendor Information

CVE-2014-9296 covers this vulnerability for ntpd.

Vendor References

http://www.efficientip.com/support-services/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  December 18, 2014 Updated:  January 13, 2015

Statement Date:   January 13, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

F5 has released a security advisory for its products at the URL: https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

Vendor References

https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Project

Notified:  December 18, 2014 Updated:  April 10, 2015

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

"All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and
10.1) include vulnerable versions of ntpd.
"

Vendor Information

FreeBSD has released advisories with patches; please see the Advisory URLs below.

Vendor References

https://www.freebsd.org/security/advisories/FreeBSD-SA-14:31.ntp.asc https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Huawei Technologies

Updated:  December 23, 2014

Statement Date:   December 23, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-009.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv15-009.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NTP Project

Notified:  December 03, 2014 Updated:  December 22, 2014

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see the vendor Security Notice at the URL below.

Vendor References

http://support.ntp.org/bin/view/Main/SecurityNotice http://lists.ntp.org/pipermail/announce/2014-December/000122.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OmniTI

Notified:  December 20, 2014 Updated:  December 22, 2014

Statement Date:   December 20, 2014

Status

  Affected

Vendor Statement

"Affected, but Update now available"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  December 18, 2014 Updated:  December 30, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Vendor References

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Watchguard Technologies, Inc.

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Affected

Vendor Statement

"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.

Our wireless access points are not vulnerable since they only use the basic ntpclient.

However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Belkin, Inc.

Notified:  December 18, 2014 Updated:  March 05, 2015

Statement Date:   March 05, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fortinet, Inc.

Notified:  December 18, 2014 Updated:  December 24, 2014

Statement Date:   December 24, 2014

Status

  Not Affected

Vendor Statement

"Fortigate products are not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

"OpenBSD does not use ntp.org code."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  December 18, 2014 Updated:  December 21, 2014

Statement Date:   December 20, 2014

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected.  We use OpenNTPD."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

m0n0wall

Notified:  December 18, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

"m0n0wall does not include ntpd and is therefore not affected.".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ACCESS

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel-Lucent

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Arch Linux

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Barracuda Networks

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Blue Coat Systems

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CA Technologies

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CentOS

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Software Technologies

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DragonFly BSD Project

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Secure Linux

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Enterasys Networks

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ericsson

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Force10 Networks, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks, Inc.

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Global Technology Associates, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Google

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation (zseries)

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Infoblox

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intoto

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva S. A.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

McAfee

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsemi

Notified:  December 23, 2014 Updated:  December 23, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Palo Alto Networks

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Peplink

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Process Software

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Q1 Labs

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

QNX Software Systems Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Quagga

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SmoothWall

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Snort

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sourcefire

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stonesoft

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TippingPoint Technologies Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Turbolinux

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Vyatta

Notified:  December 19, 2014 Updated:  December 19, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

eSoft, Inc.

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

netfilter

Notified:  December 18, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
Date Public: 2014-12-19
Date First Published: 2014-12-19
Date Last Updated: 2015-10-27 02:22 UTC
Document Revision: 123

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.