NTP Daemon up to 4.2.7 Random Generator ntp_config.c config_auth improper authentication
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as critical has been found in NTP Daemon up to 4.2.7. This vulnerability affects the function config_auth of the file ntp_config.c of the component Random Generator. Such manipulation leads to improper authentication.
This vulnerability is documented as CVE-2014-9293. There is not any exploit available.
The affected component should be upgraded.
Details
A vulnerability, which was classified as critical, has been found in NTP Daemon up to 4.2.7 (Network Management Software). Affected by this issue is the function config_auth of the file ntp_config.c of the component Random Generator. The manipulation with an unknown input leads to a improper authentication vulnerability. Using CWE to declare the problem leads to CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Impacted is confidentiality, integrity, and availability. CVE summarizes:
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
The weakness was released 12/21/2014 by Neel Mehta with Google as Sec 2665 as confirmed blog post (Bug Tracker). The advisory is shared for download at bugs.ntp.org. This vulnerability is handled as CVE-2014-9293 since 12/05/2014. The exploitation is known to be easy. The attack may be launched remotely. A simple authentication is necessary for exploitation. There are known technical details, but no exploit is available. The advisory points out:
If no auth key is set in the configuration file, ntpd would generate a random key on the fly. There were two problems with this: 1) the generated key was 31 bits in size, and 2) it used the (now weak) ntp_random() function, which was seeded with a 32 bit value and can only provide 32 bits of entropy. This was sufficient back in the late 1990s when this code was written. Not today.
The vulnerability scanner Nessus provides a plugin with the ID 80154 (Oracle Linux 6 / 7 : ntp (ELSA-2014-2024)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350240 (Amazon Linux Security Advisory for ntp: ALAS-2014-462).
Upgrading to version 4.2.7p11 eliminates this vulnerability. It is possible to mitigate the problem by applying the configuration setting restrict ... noquery. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published even before and not after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (99576), Tenable (80154), SecurityFocus (BID 71757†), Secunia (SA62209†) and SecurityTracker (ID 1031411†). Entries connected to this vulnerability are available at VDB-68452, VDB-68453, VDB-68454 and VDB-68455. If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.6VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.6
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Improper authenticationCWE: CWE-287
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 80154
Nessus Name: Oracle Linux 6 / 7 : ntp (ELSA-2014-2024)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 703108
OpenVAS Name: Debian Security Advisory DSA 3108-1 (ntp - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: NTP Daemon 4.2.7p11
Config: restrict ... noquery
Timeline
01/28/2010 🔍12/05/2014 🔍
12/19/2014 🔍
12/19/2014 🔍
12/19/2014 🔍
12/20/2014 🔍
12/21/2014 🔍
12/22/2014 🔍
12/22/2014 🔍
01/07/2015 🔍
01/13/2015 🔍
03/01/2022 🔍
Sources
Advisory: Sec 2665Researcher: Neel Mehta
Organization: Google
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-9293 (🔍)
GCVE (CVE): GCVE-0-2014-9293
GCVE (VulDB): GCVE-100-68456
OVAL: 🔍
CERT: 🔍
X-Force: 99576 - NTP config_auth function weak security, Medium Risk
SecurityFocus: 71757 - NTP 'ntp_config.c' Insufficient Entropy Security Weakness
Secunia: 62209 - Cisco ACNS (Application and Content Networking System) NTP Multiple Buffer Overflow Vulner, Highly Critical
SecurityTracker: 1031411 - NTP Uses Weak Default Encryption Key and Weak RNG Seed
Vulnerability Center: 47959 - NTP 4.x before 4.2.7p11 Remote Security Restrictions Bypass due to Weak Cryptographic Protection, High
See also: 🔍
Entry
Created: 12/22/2014 08:36Updated: 03/01/2022 14:13
Changes: 12/22/2014 08:36 (92), 06/17/2017 07:41 (8), 03/01/2022 14:13 (3)
Complete: 🔍
Cache ID: 216:BFB:103
No comments yet. Languages: en.
Please log in to comment.