OVAL Reference oval:org.mitre.oval:def:28264

CVE-2014-9293)Stephen Roettger discovered that NTP generated weak MD5 keys. A remoteattacker could possibly use this issue to brute force the MD5 key and spoofa client or server. (CVE-2014-9294)Stephen Roettger discovered that NTP contained buffer overflows in thecrypto_recv(), ctl_putdata() and configure() functions. In non-defaultconfigurations, a remote attacker could use these issues to cause NTP tocrash, resulting in a denial of service, or possibly execute arbitrarycode. The default compiler options for affected releases should reduce thevulnerability to a denial of service. In addition, attackers would beisolated by the NTP AppArmor profile. (CVE-2014-9295)Stephen Roettger discovered that NTP incorrectly continued processing whenhandling certain errors. (CVE-2014-9296)"> OVAL Reference oval:org.mitre.oval:def:28264 - CERT Civis.Net

Oval Definition:

oval:org.mitre.oval:def:28264

Revision Date:	2015-02-23	Version:	3
Title:	USN-2449-1 -- NTP vulnerabilities
Description:	Neel Mehta discovered that NTP generated weak authentication keys. A remoteattacker could possibly use this issue to brute force the authenticationkey and send requests if permitted by IP restrictions. (CVE-2014-9293)Stephen Roettger discovered that NTP generated weak MD5 keys. A remoteattacker could possibly use this issue to brute force the MD5 key and spoofa client or server. (CVE-2014-9294)Stephen Roettger discovered that NTP contained buffer overflows in thecrypto_recv(), ctl_putdata() and configure() functions. In non-defaultconfigurations, a remote attacker could use these issues to cause NTP tocrash, resulting in a denial of service, or possibly execute arbitrarycode. The default compiler options for affected releases should reduce thevulnerability to a denial of service. In addition, attackers would beisolated by the NTP AppArmor profile. (CVE-2014-9295)Stephen Roettger discovered that NTP incorrectly continued processing whenhandling certain errors. (CVE-2014-9296)
Family:	unix	Class:	patch
Status:	ACCEPTED	Reference(s):	CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 USN-2449-1
Platform(s):	Ubuntu 10.04 Ubuntu 12.04 Ubuntu 14.04 Ubuntu 14.10	Product(s):	ntp
Definition Synopsis
Ubuntu 14.10 release section Ubuntu 14.10 is installed AND ntp is earlier than 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1 Ubuntu 14.04 release section Ubuntu 14.04 is installed AND ntp is earlier than 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1 Ubuntu 12.04 release section Ubuntu 12.04 is installed AND ntp is earlier than 1:4.2.6.p3+dfsg-1ubuntu3.2 Ubuntu 10.04 release section Ubuntu 10.04 is installed AND ntp is earlier than 1:4.2.4p8+dfsg-1ubuntu2.2

BACK