SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ntp Vendors:   ntp.org
NTP Uses Weak Default Encryption Key and Weak RNG Seed
SecurityTracker Alert ID:  1031411
SecurityTracker URL:  http://securitytracker.com/id/1031411
CVE Reference:   CVE-2014-9293, CVE-2014-9294   (Links to External Site)
Date:  Dec 20 2014
Impact:   Disclosure of system information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.2.7p230
Description:   Two vulnerabilities were reported in NTP. A remote user can access and modify data.

A remote user with the ability to conduct a man-in-the-middle attack can obtain encrypted data and decrypt it.

When no auth key is specified in the configuration file, the system generates a 31-bit key using a weak randomization function [CVE-2014-9293]. Versions prior to 4.2.7p11 [January 2010] are affected.

Neel Mehta of the Google Security Team reported this vulnerability.

The system uses a week seed for ntp-keygen to genearte symmetric keys [CVE-2014-9294]. Versions prior to 4.2.7p230 are affected [Nov 2011].

Stephen Roettger of the Google Security Team reported this vulnerability.

Impact:   A remote user can access and modify data.
Solution:   The vendor has issued a fix (4.2.7p230) [in November 2011].

The vendor's advisory is available at:

http://support.ntp.org/bin/view/Main/SecurityNotice

Vendor URL:  support.ntp.org/bin/view/Main/SecurityNotice (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 20 2014 (Red Hat Issues Fix) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Red Hat has issued a fix for Red Hat Enterprise Linux 5, 6, and 7.
Dec 23 2014 (Ubuntu Issues Fix) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10.
Dec 24 2014 (FreeBSD Issues Fix) NTP Uses Weak Default Encryption Key and Weak RNG Seed
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, 9.3, 10.0, and 10.1.
Dec 25 2014 (Cisco Issues Advisory for Cisco Unified Communications Manager) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Unified Communications Manager.
Dec 25 2014 (Cisco Issues Advisory for Cisco Show and Share) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Show and Share.
Dec 25 2014 (Cisco Issues Advisory for Cisco TelePresence) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco TelePresence.
Dec 25 2014 (Check Point Issues Advisory for Check Point IPSO) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Check Point has issued mitigation instructions for Check Point IPSO.
Dec 27 2014 (Cisco Issues Advisory for Cisco WebEx Meetings Server) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco WebEx Meetings Server.
Dec 27 2014 (Cisco Issues Advisory for Cisco Nexus 3000 and 9000 Series Switches) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Nexus 3000 and 9000 series switches.
Dec 27 2014 (Cisco Issues Advisory for Cisco Finesse) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Finesse.
Dec 27 2014 (Cisco Issues Advisory for Cisco MediaSense) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco MediaSense.
Dec 27 2014 (Cisco Issues Advisory for Cisco Digital Media Manager) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Digital Media Manager (DMM).
Dec 27 2014 (Cisco Issues Advisory for Cisco Unified Contact Center Express) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Unified Contact Center Express (UCCX).
Jan 7 2015 (Cisco Issues Advisory for Cisco Media Experience Engine) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Cisco has issued an advisory for Cisco Media Experience Engine.
Jan 7 2015 (Juniper Issues Advisory for Juniper NSM) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Juniper has issued an advisory for Juniper NSM.
Jan 7 2015 (Citrix Issues Advisory for Citrix NetScaler) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Citrix has issued an advisory for Citrix NetScaler.
Jan 28 2015 (Red Hat Issues Fix) NTP Uses Weak Default Encryption Key and Weak RNG Seed
Red Hat has issued a fix for Red Hat Enterprise Linux 6.5.
Feb 11 2015 (IBM Issues Fix for IBM AIX) NTP Uses Weak Default Encryption Key and Weak RNG Seed
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Feb 24 2015 (HP Issues Fix for HP-UX) NTP Uses Weak Default Encryption Key and Weak RNG Seed
HP has issued a fix for HP-UX 11.23 and 11.31.
Sep 10 2015 (HP Issues Fix for TCP/IP Services for OpenVMS) NTP Uses Weak Default Encryption Key and Weak RNG Seed
HP has issued a fix for TCP/IP Services for OpenVMS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC