| VID |
23237 |
| Severity |
40 |
| Port |
123 |
| Protocol |
UDP |
| Class |
NTPD |
| Detailed Description |
The NTP daemon, according its version number, is vulnerable to multiple vulnerabilities. Network Time Protocol (NTP) daemon is responsible for providing accurate time reports used for synchronizing the clocks on installed systems.
Multiple vulnerabilities exists in Network Time Protocol daemon (NTPD). Two vulnerabilities, insufficient entropy and weak pseudo-random number generator can lead to insecure keys.
A stack buffer overflow exists with can lead to arbitrary code execution in the context of the NTPD process.
The final vulnerability is due to a missing return statement in a section of error handling code, which may lead to code execution.
A remote attacker could exploit these vulnerabilities by sending a crafted NTP request to a vulnerable service.
* Note: This check solely relied on the version number of the remote NTP daemon to assess this vulnerability, so this might be a false positive.
* References:
http://support.ntp.org/bin/view/Main/SecurityNotice
* Platforms Affected:
NTPD versions prior to 4.2.8
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of NTP (4.2.8 or later), available from the NTP Software Downloads Web page at http://ntp.isc.org/bin/view/Main/SoftwareDownloads |
| Related URL |
CVE-2014-9293,CVE-2014-9294,CVE-2014-9295,CVE-2014-9296 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
