Информационная безопасность
[RU] switch to English


Многочисленные уязвимости в ntpd
дополнено с 23 декабря 2014 г.
Опубликовано:11 февраля 2015 г.
Источник:
SecurityVulns ID:14171
Тип:удаленная
Уровень опасности:
8/10
Описание:Обход аутентификации, переполнение буфера, утечка информации, обход ограничений.
Затронутые продукты:NTP : ntp 4.2
CVE:CVE-2014-9298 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage.)
 CVE-2014-9297 (** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage.)
 CVE-2014-9296 (The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.)
 CVE-2014-9295 (Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.)
 CVE-2014-9294 (util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.)
 CVE-2014-9293 (The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.)
Оригинальный текстdocumentUBUNTU, [USN-2497-1] NTP vulnerabilities (11.02.2015)
 documentFREEBSD, FreeBSD Security Advisory FreeBSD-SA-14:31.ntp (25.12.2014)
 documentCISCO, Cisco Security Advisory: Multiple Vulnerabilities in ntpd Affecting Cisco Products (25.12.2014)
 documentAPPLE, APPLE-SA-2014-12-22-1 OS X NTP Security Update (23.12.2014)
 documentDEBIAN, [SECURITY] [DSA 3108-1] ntp security update (23.12.2014)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород