CVE-2014-9293

Publication date 19 December 2014

Last updated 24 July 2024

Ubuntu priority

The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ntp	14.10 utopic	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1
	14.04 LTS trusty	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1
	12.04 LTS precise	Fixed 1:4.2.6.p3+dfsg-1ubuntu3.2
	10.04 LTS lucid	Fixed 1:4.2.4p8+dfsg-1ubuntu2.2

Notes

mdeslaur

upstream commit in 4.2.7p11 removes automatic key generation completely. Red Hat fixed the issue in a different way.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ntp	Upstream: http://bk1.ntp.org/ntp-dev/ntpd/ntp_config.c?PAGE=diffs&REV=4b6089c5KXhXqZqocF0DMXnQQsjOuw Vendor: https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9293.patch

References

Related Ubuntu Security Notices (USN)