VARIoT IoT vulnerabilities database
| VAR-201412-0303 | CVE-2014-8017 | Cisco Identity Services Engine of periodic-backup In function backup-encryption Password acquisition vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
This issue being tracked by Cisco Bug ID CSCur41673. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies
| VAR-201412-0304 | CVE-2014-8018 | Cisco Unified Communications Domain Manager Application software Business Voice Services Manager Page cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur19630, and CSCur19661. Vendors have confirmed this vulnerability Bug ID CSCur19651 , CSCur18555 , CSCur19630 ,and CSCur19661 It is released as.Skillfully crafted by a third party URL Through any Web Script or HTML May be inserted.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
These issues are being tracked by Cisco Bug IDs CSCur19651, CSCur18555, CSCur19630 and CSCur19661. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201904-0506 | CVE-2014-9186 | Honeywell Experion PKS File contains vulnerabilities |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. The Honeywell Experion PKS presence file contains a vulnerability because it fails to adequately filter the input provided by the user. An attacker could exploit this vulnerability to obtain sensitive information or execute arbitrary script code in the context of a web server process.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2. An attacker could exploit the vulnerability via a file inclusion attack by submitting a crafted function to the affected software.
Honeywell has confirmed the vulnerability and released updated software
| VAR-201412-0054 | CVE-2014-3410 | Cisco Adaptive Security Appliance Software syslog-management Vulnerability of obtaining administrator password in subsystem |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The syslog-management subsystem in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to obtain an administrator password by waiting for an administrator to copy a file, and then (1) sniffing the network for a syslog message or (2) reading a syslog message in a file on a syslog server, aka Bug IDs CSCuq22357 and CSCur41860.
An attacker can exploit this issue to gain access to passwords that may aid in further attacks.
This issue is being tracked by Cisco Bug IDs CSCuq22357 and CSCur41860
| VAR-201412-0292 | CVE-2014-8007 | Cisco Prime Infrastructure In device-discovery Password read vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Cisco Prime Infrastructure allows remote authenticated users to read device-discovery passwords by examining the HTML source code of the Quick Discovery options page, aka Bug ID CSCum00019. Cisco Prime Infrastructure Is device-discovery A vulnerability that allows passwords to be read exists.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
This issue being tracked by Cisco Bug ID CSCum00019
| VAR-201412-0302 | CVE-2014-8016 | Cisco IronPort Email Security Appliance Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Cisco IronPort Email Security Appliance (ESA) allows remote attackers to cause a denial of service (CPU consumption) via long Subject headers in e-mail messages, aka Bug ID CSCzv93864.
Successful exploitation of the issue will cause excessive CPU consumption, resulting in a denial-of-service condition.
This issue is being tracked by Cisco Bug ID CSCzv93864. The appliance offers spam protection, email encryption, data loss prevention, and more
| VAR-201412-0305 | CVE-2014-8019 | Cisco Enterprise Content Delivery System Vulnerable to directory traversal |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Cisco Enterprise Content Delivery System (ECDS) allows remote attackers to read arbitrary files via a crafted URL, aka Bug ID CSCuo90148.
An attacker can exploit this issue to access arbitrary files in the context of the web server process, which may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCuo90148. The system consists of a variety of video transmission products, hardware devices and Cisco Wide Area Application Services (WAAS) virtual blade software, which can help enterprises transmit real-time video content through streaming or multicast, and support setup, configuration, maintenance and monitoring of video
| VAR-201412-0613 | CVE-2014-9295 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.
Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE)
2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. [CVE-2014-9293]
The ntp-keygen(8) utility is also affected by a similar issue. [CVE-2014-9296]
III. Impact
The NTP protocol uses keys to implement authentication. The weak
seeding of the pseudo-random number generator makes it easier for an
attacker to brute-force keys, and thus may broadcast incorrect time stamps
or masquerade as another time server. [CVE-2014-9295]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Because the issue may lead to remote root compromise, the
FreeBSD Security Team recommends system administrators to firewall NTP
ports, namely tcp/123 and udp/123 when it is not clear that all systems
have been patched or have ntpd(8) stopped.
V.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276073
releng/8.4/ r276154
stable/9/ r276073
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276072
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. 6.5) - i386, noarch, ppc64, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ntp security update
Advisory ID: RHSA-2014:2024-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-2024.html
Issue date: 2014-12-20
CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295
CVE-2014-9296
=====================================================================
1. Summary:
Updated ntp packages that fix several security issues are now available
for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal
use if no ntpdc request authentication key was specified in the ntp.conf
configuration file. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys.
This could possibly allow an attacker to guess generated MD5 keys that
could then be used to spoof an NTP client or server. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys).
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 - CVE-2014-9296 ntp: receive() missing return on error
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
ppc64:
ntp-4.2.6p5-2.el6_6.ppc64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntpdate-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-4.2.6p5-2.el6_6.s390x.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntpdate-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntp-perl-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntp-perl-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
ppc64:
ntp-4.2.6p5-19.el7_0.ppc64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
ntpdate-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-4.2.6p5-19.el7_0.s390x.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
ntpdate-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
sntp-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
sntp-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9293
https://access.redhat.com/security/cve/CVE-2014-9294
https://access.redhat.com/security/cve/CVE-2014-9295
https://access.redhat.com/security/cve/CVE-2014-9296
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUlOKcXlSAg2UNWIIRAvBoAKCfw+j4ua5JaIRMc5eKkny9G1yWlgCgufNc
EvBImTd+Vq7//UExow1FP4U=
=m/Eb
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-12-22-1 OS X NTP Security Update
OS X NTP Security Update is now available and addresses the
following:
ntpd
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10.1
Impact: A remote attacker may be able to execute arbitrary code
Description: Several issues existed in ntpd that would have allowed
an attacker to trigger buffer overflows. These issues were addressed
through improved error checking.
To verify the ntpd version, type the following command in Terminal:
what /usr/sbin/ntpd.
Release Date: 2015-02-18
Last Updated: 2015-04-08
Potential Security Impact: Remote execution of code, Denial of Service (DoS),
or other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
NTP. These could be exploited remotely to execute code, create a Denial of
Service (DoS), or other vulnerabilities.
References:
CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG)
(CWE-332)
CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338)
CVE-2014-9295 - Stack Buffer Overflow (CWE-121)
CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389)
CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions
(CWE-754)
SSRT101872
VU#852879
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running NTP version C.4.2.6.4.0 or previous
HP-UX B.11.23 running XNTP version 3.5 or previous
HP-UX B.11.11 running XNTP version 3.5 or previous
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-9297 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following solutions for HP-UX B.11.31, HP-UX B.11.23, and
HP-UX B.11.11.
The two patches are available from the HP Support Center (HPSC).
http://h20565.www2.hp.com/portal/site/hpsc?
A new B.11.31 depot for HP-UX-NTP_C.4.2.6.5.0 is available here:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=HPUX-NTP
The B.11.31 image HP-UX-NTP_C.4.2.6.5.0
The B.11.23 patch PHNE_44236 for NTP v3.5
The B.11.11 patch PHNE_44235 for NTP v3.5
Mitigation steps for HP-UX B.11.23 and HP-UX B.11.11 for CVE-2014-9295
Restrict query for server status (Time Service is not affected) from
ntpq/ntpdc by enabling noquery using the restrict command in /etc/ntp.conf
file.
Reference: http://support.ntp.org/bin/view/Main/SecurityNotice
MANUAL ACTIONS: Yes - Update
If patch installation on B.11.11 or B.11.23 is not possible, mitigate with
step above.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
InternetSrvcs.INETSVCS-BOOT
action: install PHNE_44235 or subsequent
HP-UX B.11.23
==================
InternetSrvcs.INETSVCS2-BOOT
action: install PHNE_44236 or subsequent
HP-UX B.11.31
==================
NTP.INETSVCS2-BOOT
NTP.NTP-AUX
NTP.NTP-RUN
action: install revision C.4.2.6.5.0 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 18 February 2015 Initial release
Version:2 (rev.2) - 8 April 2015 Added B.11.23 and B.11.11 patches
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. This situation may be exploitable by an attacker
(CVE-2014-9296).
Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (CVE-2014-9297).
Stephen Roettger of the Google Security Team reported that ACLs based
on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
http://advisories.mageia.org/MGASA-2014-0541.html
http://advisories.mageia.org/MGASA-2015-0063.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm
09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm
7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm
cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z
rou2syvF1hyhVhxh7M5sv3c=
=uncU
-----END PGP SIGNATURE-----
.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several high-severity vulnerabilities discovered by Neel Mehta
and Stephen Roettger of the Google Security Team.
For more information, see:
https://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
18d7f09e90cf2434f59d7e9f11478fba ntp-4.2.8-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
edd178e3d2636433dd18f52331af17a5 ntp-4.2.8-x86_64-1_slack13.0.txz
Slackware 13.1 package:
4b6da6fa564b1fe00920d402ff97bd43 ntp-4.2.8-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
292ae7dbd3ea593c5e28cbba7c2b71fa ntp-4.2.8-x86_64-1_slack13.1.txz
Slackware 13.37 package:
294b8197d360f9a3cf8186619b60b73c ntp-4.2.8-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
7cd5b63f8371b1cc369bc56e4b4efd5a ntp-4.2.8-x86_64-1_slack13.37.txz
Slackware 14.0 package:
32eab67538c33e4669bda9200799a497 ntp-4.2.8-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
33ecf4845fa8533a12a98879815bde08 ntp-4.2.8-x86_64-1_slack14.0.txz
Slackware 14.1 package:
f2b45a45c846a909ae201176ce359939 ntp-4.2.8-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
12d7ab6e2541af4d1282621d3773e7f7 ntp-4.2.8-x86_64-1_slack14.1.txz
Slackware -current package:
5b2150cee9840d8bb547098cccde879a n/ntp-4.2.8-i486-1.txz
Slackware x86_64 -current package:
9ce09c5d6a60d3e2117988e4551e4af1 n/ntp-4.2.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. The net-misc/ntp package contains the official reference
implementation by the NTP Project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8 >= 4.2.8
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8"
References
==========
[ 1 ] CVE-2014-9293
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293
[ 2 ] CVE-2014-9294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294
[ 3 ] CVE-2014-9295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295
[ 4 ] CVE-2014-9296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-34.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201412-0615 | CVE-2014-9293 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability types by CWE-332: Insufficient Entropy in PRNG (PRNG Insufficient entropy in ) Has been identified. http://cwe.mitre.org/data/definitions/332.htmlBrute force attack by a third party (Brute force attack) Could be used to break cryptographic protection mechanisms. Network Time Protocol is prone to multiple stack-based buffer-overflow vulnerabilities because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
Successful exploits may allow an attacker to execute arbitrary code with the privileges of the ntpd process. Failed attempts will likely cause a denial-of-service condition. Network Time Protocol is prone to an unspecified security vulnerability.
Little is known about this issue or its effects at this time. We will update this BID as more information emerges.
Network Time Protocol 4.2.7 is vulnerable; other versions may also be affected.
Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE)
2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. [CVE-2014-9293]
The ntp-keygen(8) utility is also affected by a similar issue.
[CVE-2014-9294]
When Autokey Authentication is enabled, for example if ntp.conf(5) contains
a 'crypto pw' directive, a remote attacker can send a carefully
crafted packet that can overflow a stack buffer. [CVE-2014-9296]
III. Impact
The NTP protocol uses keys to implement authentication. The weak
seeding of the pseudo-random number generator makes it easier for an
attacker to brute-force keys, and thus may broadcast incorrect time stamps
or masquerade as another time server. [CVE-2014-9295]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Because the issue may lead to remote root compromise, the
FreeBSD Security Team recommends system administrators to firewall NTP
ports, namely tcp/123 and udp/123 when it is not clear that all systems
have been patched or have ntpd(8) stopped.
V.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276073
releng/8.4/ r276154
stable/9/ r276073
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276072
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. 6.5) - i386, noarch, ppc64, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ntp security update
Advisory ID: RHSA-2014:2024-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-2024.html
Issue date: 2014-12-20
CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295
CVE-2014-9296
=====================================================================
1. Summary:
Updated ntp packages that fix several security issues are now available
for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys.
This could possibly allow an attacker to guess generated MD5 keys that
could then be used to spoof an NTP client or server. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys).
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 - CVE-2014-9296 ntp: receive() missing return on error
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
ppc64:
ntp-4.2.6p5-2.el6_6.ppc64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntpdate-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-4.2.6p5-2.el6_6.s390x.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntpdate-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntp-perl-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntp-perl-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
ppc64:
ntp-4.2.6p5-19.el7_0.ppc64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
ntpdate-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-4.2.6p5-19.el7_0.s390x.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
ntpdate-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
sntp-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
sntp-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9293
https://access.redhat.com/security/cve/CVE-2014-9294
https://access.redhat.com/security/cve/CVE-2014-9295
https://access.redhat.com/security/cve/CVE-2014-9296
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUlOKcXlSAg2UNWIIRAvBoAKCfw+j4ua5JaIRMc5eKkny9G1yWlgCgufNc
EvBImTd+Vq7//UExow1FP4U=
=m/Eb
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Attackers could use this key to
reconfigure ntpd (or to exploit other vulnerabilities).
The default ntpd configuration in Debian restricts access to localhost
(and possible the adjacent network in case of IPv6).
For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u1.
We recommend that you upgrade your ntp packages.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several high-severity vulnerabilities discovered by Neel Mehta
and Stephen Roettger of the Google Security Team.
For more information, see:
https://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
18d7f09e90cf2434f59d7e9f11478fba ntp-4.2.8-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
edd178e3d2636433dd18f52331af17a5 ntp-4.2.8-x86_64-1_slack13.0.txz
Slackware 13.1 package:
4b6da6fa564b1fe00920d402ff97bd43 ntp-4.2.8-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
292ae7dbd3ea593c5e28cbba7c2b71fa ntp-4.2.8-x86_64-1_slack13.1.txz
Slackware 13.37 package:
294b8197d360f9a3cf8186619b60b73c ntp-4.2.8-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
7cd5b63f8371b1cc369bc56e4b4efd5a ntp-4.2.8-x86_64-1_slack13.37.txz
Slackware 14.0 package:
32eab67538c33e4669bda9200799a497 ntp-4.2.8-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
33ecf4845fa8533a12a98879815bde08 ntp-4.2.8-x86_64-1_slack14.0.txz
Slackware 14.1 package:
f2b45a45c846a909ae201176ce359939 ntp-4.2.8-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
12d7ab6e2541af4d1282621d3773e7f7 ntp-4.2.8-x86_64-1_slack14.1.txz
Slackware -current package:
5b2150cee9840d8bb547098cccde879a n/ntp-4.2.8-i486-1.txz
Slackware x86_64 -current package:
9ce09c5d6a60d3e2117988e4551e4af1 n/ntp-4.2.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: NTP: Multiple vulnerabilities
Date: December 24, 2014
Bugs: #533076
ID: 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could result in remote execution of arbitrary code. The net-misc/ntp package contains the official reference
implementation by the NTP Project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8 >= 4.2.8
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8"
References
==========
[ 1 ] CVE-2014-9293
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293
[ 2 ] CVE-2014-9294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294
[ 3 ] CVE-2014-9295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295
[ 4 ] CVE-2014-9296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-34.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201412-0612 | CVE-2014-9296 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. http://cwe.mitre.org/data/definitions/17.htmlA third party can trigger unintentional association changes through crafted packets. Network Time Protocol is prone to an unspecified security vulnerability.
Little is known about this issue or its effects at this time. We will update this BID as more information emerges.
Network Time Protocol 4.2.7 is vulnerable; other versions may also be affected.
Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE)
2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. [CVE-2014-9293]
The ntp-keygen(8) utility is also affected by a similar issue.
[CVE-2014-9294]
When Autokey Authentication is enabled, for example if ntp.conf(5) contains
a 'crypto pw' directive, a remote attacker can send a carefully
crafted packet that can overflow a stack buffer. [CVE-2014-9296]
III. Impact
The NTP protocol uses keys to implement authentication. The weak
seeding of the pseudo-random number generator makes it easier for an
attacker to brute-force keys, and thus may broadcast incorrect time stamps
or masquerade as another time server. [CVE-2014-9295]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Because the issue may lead to remote root compromise, the
FreeBSD Security Team recommends system administrators to firewall NTP
ports, namely tcp/123 and udp/123 when it is not clear that all systems
have been patched or have ntpd(8) stopped.
V.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276073
releng/8.4/ r276154
stable/9/ r276073
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276072
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. This situation may be exploitable by an attacker
(CVE-2014-9296).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://advisories.mageia.org/MGASA-2014-0541.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
25fe56fc0649ac9bb83be467969c2380 mbs1/x86_64/ntp-4.2.6p5-8.1.mbs1.x86_64.rpm
9409f5337bc2a2682e09db81e769cd5c mbs1/x86_64/ntp-client-4.2.6p5-8.1.mbs1.x86_64.rpm
df65cc9c536cdd461e1ef95318ab0d3b mbs1/x86_64/ntp-doc-4.2.6p5-8.1.mbs1.x86_64.rpm
53f446bffdf6e87726a9772e946c5e34 mbs1/SRPMS/ntp-4.2.6p5-8.1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. 6.5) - i386, noarch, ppc64, s390x, x86_64
3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ntp security update
Advisory ID: RHSA-2014:2024-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-2024.html
Issue date: 2014-12-20
CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295
CVE-2014-9296
=====================================================================
1. Summary:
Updated ntp packages that fix several security issues are now available
for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal
use if no ntpdc request authentication key was specified in the ntp.conf
configuration file. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys.
This could possibly allow an attacker to guess generated MD5 keys that
could then be used to spoof an NTP client or server. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys).
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 - CVE-2014-9296 ntp: receive() missing return on error
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
ppc64:
ntp-4.2.6p5-2.el6_6.ppc64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntpdate-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-4.2.6p5-2.el6_6.s390x.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntpdate-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-2.el6_6.ppc64.rpm
ntp-perl-4.2.6p5-2.el6_6.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-2.el6_6.s390x.rpm
ntp-perl-4.2.6p5-2.el6_6.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ntp-4.2.6p5-2.el6_6.src.rpm
i386:
ntp-4.2.6p5-2.el6_6.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntpdate-4.2.6p5-2.el6_6.i686.rpm
x86_64:
ntp-4.2.6p5-2.el6_6.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntpdate-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
ntp-debuginfo-4.2.6p5-2.el6_6.i686.rpm
ntp-perl-4.2.6p5-2.el6_6.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_6.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_6.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_6.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
ppc64:
ntp-4.2.6p5-19.el7_0.ppc64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
ntpdate-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-4.2.6p5-19.el7_0.s390x.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
ntpdate-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-19.el7_0.ppc64.rpm
sntp-4.2.6p5-19.el7_0.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-19.el7_0.s390x.rpm
sntp-4.2.6p5-19.el7_0.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-19.el7_0.src.rpm
x86_64:
ntp-4.2.6p5-19.el7_0.x86_64.rpm
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
ntpdate-4.2.6p5-19.el7_0.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-19.el7_0.noarch.rpm
ntp-perl-4.2.6p5-19.el7_0.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-19.el7_0.x86_64.rpm
sntp-4.2.6p5-19.el7_0.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9293
https://access.redhat.com/security/cve/CVE-2014-9294
https://access.redhat.com/security/cve/CVE-2014-9295
https://access.redhat.com/security/cve/CVE-2014-9296
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUlOKcXlSAg2UNWIIRAvBoAKCfw+j4ua5JaIRMc5eKkny9G1yWlgCgufNc
EvBImTd+Vq7//UExow1FP4U=
=m/Eb
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Release Date: 2015-02-18
Last Updated: 2015-04-08
Potential Security Impact: Remote execution of code, Denial of Service (DoS),
or other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
NTP. These could be exploited remotely to execute code, create a Denial of
Service (DoS), or other vulnerabilities.
References:
CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG)
(CWE-332)
CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338)
CVE-2014-9295 - Stack Buffer Overflow (CWE-121)
CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389)
CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions
(CWE-754)
SSRT101872
VU#852879
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running NTP version C.4.2.6.4.0 or previous
HP-UX B.11.23 running XNTP version 3.5 or previous
HP-UX B.11.11 running XNTP version 3.5 or previous
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-9297 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following solutions for HP-UX B.11.31, HP-UX B.11.23, and
HP-UX B.11.11.
The two patches are available from the HP Support Center (HPSC).
http://h20565.www2.hp.com/portal/site/hpsc?
A new B.11.31 depot for HP-UX-NTP_C.4.2.6.5.0 is available here:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=HPUX-NTP
The B.11.31 image HP-UX-NTP_C.4.2.6.5.0
The B.11.23 patch PHNE_44236 for NTP v3.5
The B.11.11 patch PHNE_44235 for NTP v3.5
Mitigation steps for HP-UX B.11.23 and HP-UX B.11.11 for CVE-2014-9295
Restrict query for server status (Time Service is not affected) from
ntpq/ntpdc by enabling noquery using the restrict command in /etc/ntp.conf
file.
Reference: http://support.ntp.org/bin/view/Main/SecurityNotice
MANUAL ACTIONS: Yes - Update
If patch installation on B.11.11 or B.11.23 is not possible, mitigate with
step above.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
==================
InternetSrvcs.INETSVCS-BOOT
action: install PHNE_44235 or subsequent
HP-UX B.11.23
==================
InternetSrvcs.INETSVCS2-BOOT
action: install PHNE_44236 or subsequent
HP-UX B.11.31
==================
NTP.INETSVCS2-BOOT
NTP.NTP-AUX
NTP.NTP-RUN
action: install revision C.4.2.6.5.0 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 18 February 2015 Initial release
Version:2 (rev.2) - 8 April 2015 Added B.11.23 and B.11.11 patches
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities are available. Attackers could use this key to
reconfigure ntpd (or to exploit other vulnerabilities).
The default ntpd configuration in Debian restricts access to localhost
(and possible the adjacent network in case of IPv6).
For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u1.
We recommend that you upgrade your ntp packages.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several high-severity vulnerabilities discovered by Neel Mehta
and Stephen Roettger of the Google Security Team.
For more information, see:
https://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8-i486-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
18d7f09e90cf2434f59d7e9f11478fba ntp-4.2.8-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
edd178e3d2636433dd18f52331af17a5 ntp-4.2.8-x86_64-1_slack13.0.txz
Slackware 13.1 package:
4b6da6fa564b1fe00920d402ff97bd43 ntp-4.2.8-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
292ae7dbd3ea593c5e28cbba7c2b71fa ntp-4.2.8-x86_64-1_slack13.1.txz
Slackware 13.37 package:
294b8197d360f9a3cf8186619b60b73c ntp-4.2.8-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
7cd5b63f8371b1cc369bc56e4b4efd5a ntp-4.2.8-x86_64-1_slack13.37.txz
Slackware 14.0 package:
32eab67538c33e4669bda9200799a497 ntp-4.2.8-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
33ecf4845fa8533a12a98879815bde08 ntp-4.2.8-x86_64-1_slack14.0.txz
Slackware 14.1 package:
f2b45a45c846a909ae201176ce359939 ntp-4.2.8-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
12d7ab6e2541af4d1282621d3773e7f7 ntp-4.2.8-x86_64-1_slack14.1.txz
Slackware -current package:
5b2150cee9840d8bb547098cccde879a n/ntp-4.2.8-i486-1.txz
Slackware x86_64 -current package:
9ce09c5d6a60d3e2117988e4551e4af1 n/ntp-4.2.8-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. ============================================================================
Ubuntu Security Notice USN-2449-1
December 22, 2014
ntp vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in NTP. The default compiler options for affected releases should reduce the
vulnerability to a denial of service. In addition, attackers would be
isolated by the NTP AppArmor profile. (CVE-2014-9295)
Stephen Roettger discovered that NTP incorrectly continued processing when
handling certain errors. (CVE-2014-9296)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1
Ubuntu 14.04 LTS:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1
Ubuntu 12.04 LTS:
ntp 1:4.2.6.p3+dfsg-1ubuntu3.2
Ubuntu 10.04 LTS:
ntp 1:4.2.4p8+dfsg-1ubuntu2.2
After a standard system update you need to regenerate any MD5 keys that
were manually created with ntp-keygen. The net-misc/ntp package contains the official reference
implementation by the NTP Project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8 >= 4.2.8
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8"
References
==========
[ 1 ] CVE-2014-9293
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293
[ 2 ] CVE-2014-9294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294
[ 3 ] CVE-2014-9295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295
[ 4 ] CVE-2014-9296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-34.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201412-0614 | CVE-2014-9294 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. NTP is prone to a predictable random number generator weakness.
An attacker can exploit this issue to guess generated MD5 keys that could then be used to spoof an NTP client or server.
Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE)
2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3)
2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15)
2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE)
2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7)
2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17)
2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24)
2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE)
2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21)
CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
II. [CVE-2014-9293]
The ntp-keygen(8) utility is also affected by a similar issue.
[CVE-2014-9294]
When Autokey Authentication is enabled, for example if ntp.conf(5) contains
a 'crypto pw' directive, a remote attacker can send a carefully
crafted packet that can overflow a stack buffer. [CVE-2014-9296]
III. Impact
The NTP protocol uses keys to implement authentication. The weak
seeding of the pseudo-random number generator makes it easier for an
attacker to brute-force keys, and thus may broadcast incorrect time stamps
or masquerade as another time server. [CVE-2014-9295]
IV. Workaround
No workaround is available, but systems not running ntpd(8) are not
affected. Because the issue may lead to remote root compromise, the
FreeBSD Security Team recommends system administrators to firewall NTP
ports, namely tcp/123 and udp/123 when it is not clear that all systems
have been patched or have ntpd(8) stopped.
V.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch
# fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc
# gpg --verify ntp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the ntpd(8) daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r276073
releng/8.4/ r276154
stable/9/ r276073
releng/9.1/ r276155
releng/9.2/ r276156
releng/9.3/ r276157
stable/10/ r276072
releng/10.0/ r276158
releng/10.1/ r276159
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII.
See the RESOLUTION
section for a list of impacted hardware and Comware 5, Comware 5 Low
Encryption SW, Comware 7, and VCX versions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ntp security update
Advisory ID: RHSA-2015:0104-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0104.html
Issue date: 2015-01-28
CVE Names: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295
CVE-2014-9296
=====================================================================
1. Summary:
Updated ntp packages that fix several security issues are now available for
Red Hat Enterprise Linux 6.5 Extended Update Support.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5) - noarch, x86_64
Red Hat Enterprise Linux HPC Node EUS (v. 6.5) - x86_64
Red Hat Enterprise Linux Server EUS (v. 6.5) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional EUS (v. 6.5) - i386, noarch, ppc64, s390x, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),
ctl_putdata(), and configure() functions. A remote attacker could use
either of these flaws to send a specially crafted request packet that could
crash ntpd or, potentially, execute arbitrary code with the privileges of
the ntp user. Note: the crypto_recv() flaw requires non-default
configurations to be active, while the ctl_putdata() flaw, by default, can
only be exploited via local attackers, and the configure() flaw requires
additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal
use if no ntpdc request authentication key was specified in the ntp.conf
configuration file. A remote attacker able to match the configured IP
restrictions could guess the generated key, and possibly use it to send
ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. Note: it is
recommended to regenerate any MD5 keys that had explicitly been generated
with ntp-keygen; the default installation does not contain such keys.
(CVE-2014-9294)
A missing return statement in the receive() function could potentially
allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which
contains backported patches to resolve these issues. After installing the
update, the ntpd daemon will restart automatically.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1176032 - CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
1176035 - CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
1176037 - CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
1176040 - CVE-2014-9296 ntp: receive() missing return on error
6. Package List:
Red Hat Enterprise Linux HPC Node EUS (v. 6.5):
Source:
ntp-4.2.6p5-2.el6_5.src.rpm
x86_64:
ntp-4.2.6p5-2.el6_5.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm
ntpdate-4.2.6p5-2.el6_5.x86_64.rpm
Red Hat Enterprise Linux Compute Node Optional EUS (v. 6.5):
Source:
ntp-4.2.6p5-2.el6_5.src.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_5.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_5.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 6.5):
Source:
ntp-4.2.6p5-2.el6_5.src.rpm
i386:
ntp-4.2.6p5-2.el6_5.i686.rpm
ntp-debuginfo-4.2.6p5-2.el6_5.i686.rpm
ntpdate-4.2.6p5-2.el6_5.i686.rpm
ppc64:
ntp-4.2.6p5-2.el6_5.ppc64.rpm
ntp-debuginfo-4.2.6p5-2.el6_5.ppc64.rpm
ntpdate-4.2.6p5-2.el6_5.ppc64.rpm
s390x:
ntp-4.2.6p5-2.el6_5.s390x.rpm
ntp-debuginfo-4.2.6p5-2.el6_5.s390x.rpm
ntpdate-4.2.6p5-2.el6_5.s390x.rpm
x86_64:
ntp-4.2.6p5-2.el6_5.x86_64.rpm
ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm
ntpdate-4.2.6p5-2.el6_5.x86_64.rpm
Red Hat Enterprise Linux Server Optional EUS (v. 6.5):
Source:
ntp-4.2.6p5-2.el6_5.src.rpm
i386:
ntp-debuginfo-4.2.6p5-2.el6_5.i686.rpm
ntp-perl-4.2.6p5-2.el6_5.i686.rpm
noarch:
ntp-doc-4.2.6p5-2.el6_5.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-2.el6_5.ppc64.rpm
ntp-perl-4.2.6p5-2.el6_5.ppc64.rpm
s390x:
ntp-debuginfo-4.2.6p5-2.el6_5.s390x.rpm
ntp-perl-4.2.6p5-2.el6_5.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-2.el6_5.x86_64.rpm
ntp-perl-4.2.6p5-2.el6_5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9293
https://access.redhat.com/security/cve/CVE-2014-9294
https://access.redhat.com/security/cve/CVE-2014-9295
https://access.redhat.com/security/cve/CVE-2014-9296
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUyTXWXlSAg2UNWIIRAsXzAKCilJuJeeWLOABs1xY+ueRvRTSpWACcDhoC
YQlhn66RRMYQCWymo1OCUoI=
=4Rft
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities are available. This situation may be exploitable by an attacker
(CVE-2014-9296).
Stephen Roettger of the Google Security Team, Sebastian Krahmer of
the SUSE Security Team and Harlan Stenn of Network Time Foundation
discovered that the length value in extension fields is not properly
validated in several code paths in ntp_crypto.c, which could lead to
information leakage or denial of service (CVE-2014-9297).
Stephen Roettger of the Google Security Team reported that ACLs based
on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298
http://advisories.mageia.org/MGASA-2014-0541.html
http://advisories.mageia.org/MGASA-2015-0063.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
8f7d14b95c55bd1de7230cff0c8ea9d7 mbs2/x86_64/ntp-4.2.6p5-16.1.mbs2.x86_64.rpm
09063ab11459b1f935809b37c742ff12 mbs2/x86_64/ntp-client-4.2.6p5-16.1.mbs2.x86_64.rpm
7a0d0eca35911d9f15b76b474c5512cf mbs2/x86_64/ntp-doc-4.2.6p5-16.1.mbs2.noarch.rpm
cb0371050702950084ff633ea45c2c5c mbs2/SRPMS/ntp-4.2.6p5-16.1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVF9K3mqjQ0CJFipgRAn26AJwInkxLvDh/Gbb3uYRz9IjuaSK8+ACgiM1Z
rou2syvF1hyhVhxh7M5sv3c=
=uncU
-----END PGP SIGNATURE-----
.
Platform
Patch Kit Name
Alpha IA64 V8.4
75-117-380_2015-08-24.BCK
NOTE: Please contact OpenVMS Technical Support to request these patch kits.
HISTORY
Version:1 (rev.1) - 9 September 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy. ============================================================================
Ubuntu Security Notice USN-2449-1
December 22, 2014
ntp vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in NTP. The default compiler options for affected releases should reduce the
vulnerability to a denial of service. In addition, attackers would be
isolated by the NTP AppArmor profile. (CVE-2014-9295)
Stephen Roettger discovered that NTP incorrectly continued processing when
handling certain errors. (CVE-2014-9296)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1
Ubuntu 14.04 LTS:
ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1
Ubuntu 12.04 LTS:
ntp 1:4.2.6.p3+dfsg-1ubuntu3.2
Ubuntu 10.04 LTS:
ntp 1:4.2.4p8+dfsg-1ubuntu2.2
After a standard system update you need to regenerate any MD5 keys that
were manually created with ntp-keygen. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04574882
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04574882
Version: 1
HPSBPV03266 rev.1 - Certain HP Networking and H3C Switches and Routers
running NTP, Remote Execution of Code, Disclosure of Information, and Denial
of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-02-18
Last Updated: 2015-02-18
Potential Security Impact: Remote execution of code and disclosure of
information and denial of service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with certain HP
Networking and H3C switches and routers running NTP. The vulnerabilities
could be exploited remotely to allow execution of code, disclosure of
information and denial of service (DoS).
References:
CVE-2014-9293
CVE-2014-9294
CVE-2014-9295
VU#852879
SSRT101878
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
See resolution table
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided a mitigation for the impacted HP and H3C products.
Mitigation for impacted products: disable NTP, until an update is available.
Family
Fixed Version
HP Branded Products Impacted
H3C Branded Products Impacted
3Com Branded Products Impacted
12900 Switch Series
Fix in Progress, Use Mitigation
JG619A HP FF 12910 Switch AC Chassis, JG621A HP FF 12910 Main Processing
Unit, JG632A HP FF 12916 Switch AC Chassis, JG634A HP FF 12916 Main
Processing Unit
N/A
N/A
12500
Fix in Progress, Use Mitigation
JC085A HP A12518 Switch Chassis, JC086A HP A12508 Switch Chassis, JC652A HP
12508 DC Switch Chassis, JC653A HP 12518 DC Switch Chassis, JC654A HP 12504
AC Switch Chassis, JC655A HP 12504 DC Switch Chassis, JF430A HP A12518 Switch
Chassis, JF430B HP 12518 Switch Chassis, JF430C HP 12518 AC Switch Chassis,
JF431A HP A12508 Switch Chassis, JF431B HP 12508 Switch Chassis, JF431C HP
12508 AC Switch Chassis, JC072B HP 12500 Main Processing Unit, JC808A HP
12500 TAA Main Processing Unit
H3C S12508 Routing Switch(AC-1) (0235A0GE), H3C S12518 Routing Switch(AC-1)
(0235A0GF), H3C S12508 Chassis (0235A0E6), H3C S12508 Chassis (0235A38N), H3C
S12518 Chassis (0235A0E7), H3C S12518 Chassis (0235A38M) , H3C 12508 DC
Switch Chassis (0235A38L), H3C 12518 DC Switch Chassis (0235A38K)
N/A
12500 (Comware v7)
Fix in Progress, Use Mitigation
JC085A HP A12518 Switch Chassis, JC086A HP A12508 Switch Chassis, JC652A HP
12508 DC Switch Chassis, JC653A HP 12518 DC Switch Chassis, JC654A HP 12504
AC Switch Chassis, JC655A HP 12504 DC Switch Chassis, JF430A HP A12518 Switch
Chassis, JF430B HP 12518 Switch Chassis, JF430C HP 12518 AC Switch Chassis,
JF431A HP A12508 Switch Chassis, JF431B HP 12508 Switch Chassis, JF431C HP
12508 AC Switch Chassis, JC072B HP 12500 Main Processing Unit, JG497A HP
12500 MPU w/Comware V7 OS, JG782A HP FF 12508E AC Switch Chassis, JG783A HP
FF 12508E DC Switch Chassis, JG784A HP FF 12518E AC Switch Chassis, JG785A HP
FF 12518E DC Switch Chassis, JG802A HP FF 12500E MPU
H3C S12508 Routing Switch(AC-1) (0235A0GE), H3C S12518 Routing Switch(AC-1)
(0235A0GF), H3C S12508 Chassis (0235A0E6), H3C S12508 Chassis (0235A38N), H3C
S12518 Chassis (0235A0E7), H3C S12518 Chassis (0235A38M), H3C 12508 DC Switch
Chassis (0235A38L), H3C 12518 DC Switch Chassis (0235A38K)
N/A
11900 Switch Series
Fix in Progress, Use Mitigation
JG608A HP FF 11908-V Switch Chassis, JG609A HP FF 11900 Main Processing Unit
N/A
N/A
10500 Switch Series (Comware v5)
R1208P10
JC611A HP 10508-V Switch Chassis, JC612A HP 10508 Switch Chassis, JC613A HP
10504 Switch Chassis, JC614A HP 10500 Main Processing Unit, JC748A HP 10512
Switch Chassis, JG375A HP 10500 TAA Main Processing Unit, JG820A HP 10504 TAA
Switch Chassis, JG821A HP 10508 TAA Switch Chassis, JG822A HP 10508-V TAA
Switch Chassis, JG823A HP 10512 TAA Switch Chassis
N/A
N/A
10500 Switch Series (Comware v7)
Fix in Progress, Use Mitigation
JC611A HP 10508-V Switch Chassis, JC612A HP 10508 Switch Chassis, JC613A HP
10504 Switch Chassis, JC748A HP 10512 Switch Chassis, JG820A HP 10504 TAA
Switch Chassis, JG821A HP 10508 TAA Switch Chassis, JG822A HP 10508-V TAA
Switch Chassis, JG823A HP 10512 TAA Switch Chassis, JG496A HP 10500 Type A
MPU w/Comware v7 OS
N/A
N/A
9500E
Fix in Progress, Use Mitigation
JC124A HP A9508 Switch Chassis, JC124B HP 9505 Switch Chassis, JC125A HP
A9512 Switch Chassis, JC125B HP 9512 Switch Chassis, JC474A HP A9508-V Switch
Chassis, JC474B HP 9508-V Switch Chassis
H3C S9505E Routing-Switch Chassis (0235A0G6), H3C S9512E Routing-Switch
Chassis (0235A0G7), H3C S9508E-V Routing-Switch Chassis (0235A38Q), H3C
S9505E Chassis w/ Fans (0235A38P), H3C S9512E Chassis w/ Fans (0235A38R)
N/A
8800
Fix in Progress, Use Mitigation
JC141A HP 8802 Main Control Unit Module, JC147A HP 8802 Router Chassis,
JC147B HP 8802 Router Chassis, JC148A HP A8805 Router Chassis, JC148B HP 8805
Router Chassis, JC137A HP 8805/08/12 (2E) Main Cntrl Unit Mod, JC138A HP
8805/08/12 (1E) Main Cntrl Unit Mod, JC149A HP A8808 Router Chassis, JC149B
HP 8808 Router Chassis, JC150A HP A8812 Router Chassis, JC150B HP 8812 Router
Chassis
H3C Main Control Unit for SR8802 (0231A84N), H3C SR8802 10G Core Router
Chassis (0235A31B), H3C SR8802 10G Core Router Chassis (0235A0GC), H3C SR8805
10G Core Router Chassis (0235A31C), H3C SR8805 10G Core Router Chassis
(0235A0G8), H3C SR8800 Routing Switch Processing Board(0231A80E), H3C Main
Contril Unit for SR8805/08/12 IE (0231A82E), H3C SR8808 10G Core Router
Chassis (0235A31D / 0235A0G9, H3C SR8812 10G Core Router Chassis (0235A31E /
0235A0GA)
N/A
7900
Fix in Progress, Use Mitigation
JG682A HP FlexFabric 7904 Switch Chassis, JH001A HP FF 7910 2.4Tbps Fabric /
MPU, JG842A HP FF 7910 7.2Tbps Fabric / MPU, JG841A HP FF 7910 Switch Chassis
N/A
N/A
7500 Switch Series
R6708P10
JC666A HP A7503-S 144 Gbps Fab/MPU w 24p Gig-T, JC697A HP A7502 TAA Main
Processing Unit, JC698A HP A7503S 144 Gbps TAA Fab/MPU w 24p GbE, JC699A HP
A7500 384Gbps TAA Fab/MPU w 2p 10-GbE, JC700A HP A7500 384 Gbps TAA Fabric /
MPU, JC701A HP A7510 768 Gbps TAA Fabric / MPU, JD193A HP 384 Gbps A7500 Fab
Mod w/2 XFP Ports, JD193B HP 7500 384Gbps Fab Mod w/2 XFP Ports, JD194A HP
384 Gbps Fabric A7500 Module, JD194B HP 7500 384Gbps Fabric Module, JD195A HP
7500 384Gbps Advanced Fabric Module, JD196A HP 7502 Fabric Module, JD220A HP
7500 768Gbps Fabric Module, JD238A HP A7510 Switch Chassis, JD238B HP 7510
Switch Chassis, JD239A HP A7506 Switch Chassis, JD239B HP 7506 Switch
Chassis, JD240A HP A7503 Switch Chassis, JD240B HP 7503 Switch Chassis,
JD241A HP A7506 Vertical Switch Chassis, JD241B HP 7506-V Switch Chassis,
JD242A HP A7502 Switch Chassis, JD242B HP 7502 Switch Chassis, JD243A HP
A7503 Switch Chassis w/1 Fabric Slot, JD243B HP 7503-S Switch Chassis w/1
Fabric Slot
H3C S7502E Ethernet Switch Chassis with Fan (0235A0G4), H3C S7503E Ethernet
Switch Chassis with Fan (0235A0G2), H3C S7503E-S Ethernet Switch Chassis with
Fan (0235A0G5), H3C S7506E Ethernet Switch Chassis with Fan (0235A0G1), H3C
S7506E-V Ethernet Switch Chassis with Fan (0235A0G3), H3C S7510E Ethernet
Switch Chassis with Fan (0235A0G0), H3C S7502E Chassis w/ fans (0235A29A),
H3C S7503E Chassis w/ fans (0235A27R), H3C S7503E-S Chassis w/ fans
(0235A33R), H3C S7506E Chassis w/ fans (0235A27Q), H3C S7506E-V Chassis w/
fans (0235A27S)
N/A
HSR6800
Fix in Progress, Use Mitigation
JG361A HP HSR6802 Router Chassis, JG362A HP HSR6804 Router Chassis, JG363A
HP HSR6808 Router Chassis, JG364A HP HSR6800 RSE-X2 Router MPU, JG779A HP
HSR6800 RSE-X2 Router TAA MPU
N/A
N/A
HSR6800 Russian Version
Fix in Progress, Use Mitigation
JG361A HP HSR6802 Router Chassis, JG362A HP HSR6804 Router Chassis, JG363A
HP HSR6808 Router Chassis, JG364A HP HSR6800 RSE-X2 Router MPU, JG779A HP
HSR6800 RSE-X2 Router TAA MPU
N/A
N/A
HSR6602
Fix in Progress, Use Mitigation
JG353A HP HSR6602-G Router, JG354A HP HSR6602-XG Router, JG776A HP HSR6602-G
TAA Router, JG777A HP HSR6602-XG TAA Router, JG777A HP HSR6602-XG TAA Router
N/A
N/A
HSR6602 Russian Version
Fix in Progress, Use Mitigation
JG353A HP HSR6602-G Router, JG354A HP HSR6602-XG Router, JG776A HP HSR6602-G
TAA Router, JG777A HP HSR6602-XG TAA Router
N/A
N/A
6602
Fix in Progress, Use Mitigation
JC176A HP 6602 Router Chassis
H3C SR6602 1U Router Host (0235A27D)
N/A
6602 Russian Version
Fix in Progress, Use Mitigation
JC176A HP 6602 Router Chassis
H3C SR6602 1U Router Host (0235A27D)
N/A
A6600
Fix in Progress, Use Mitigation
JC165A HP 6600 RPE-X1 Router Module, JC177A HP 6608 Router, JC177B HP A6608
Router Chassis, JC178A HP 6604 Router Chassis, JC178B HP A6604 Router
Chassis, JC496A HP 6616 Router Chassis, JC566A HP A6600 RSE-X1 Main
Processing Unit, JG780A HP 6600 RSE-X1 Router TAA MPU
H3C RT-SR66-RPE-X1-H3 (0231A761), H3C RT-SR6608-OVS-H3 (0235A32X), H3C
RT-SR6604-OVS-H3 (0235A37X), H3C SR6616 Router Chassis (0235A41D)
N/A
A6600 Russian Version
Fix in Progress, Use Mitigation
JC165A HP 6600 RPE-X1 Router Module, JC177A HP 6608 Router, JC177B HP A6608
Router Chassis, JC178A HP 6604 Router Chassis, JC178B HP A6604 Router
Chassis, JC496A HP 6616 Router Chassis, JC566A HP A6600 RSE-X1 Main
Processing Unit, JG780A HP 6600 RSE-X1 Router TAA MPU
H3C RT-SR66-RPE-X1-H3 (0231A761), H3C RT-SR6608-OVS-H3 (0235A32X), H3C
RT-SR6604-OVS-H3 (0235A37X), H3C SR6616 Router Chassis (0235A41D)
N/A
6600 MCP
Fix in Progress, Use Mitigation
JC177A HP 6608 Router, JC177B HP A6608 Router Chassis, JC178A HP 6604 Router
Chassis, JC178B HP A6604 Router Chassis, JC496A HP 6616 Router Chassis,
JG778A HP 6600 MCP-X2 Router TAA MPU. JG355A HP 6600 MCP-X1 Router MPU,
JG356A HP 6600 MCP-X2 Router MPU
H3C RT-SR6608-OVS-H3 (0235A32X), H3C RT-SR6604-OVS-H3 (0235A37X), H3C SR6616
Router Chassis (0235A41D)
N/A
6600 MCP Russian Version
Fix in Progress, Use Mitigation
JC177A HP 6608 Router, JC177B HP A6608 Router Chassis, JC178A HP 6604 Router
Chassis, JC178B HP A6604 Router Chassis, JC496A HP 6616 Router Chassis,
JG355A HP 6600 MCP-X1 Router MPU, JG356A HP 6600 MCP-X2 Router MPU, JG776A HP
HSR6602-G TAA Router, JG777A HP HSR6602-XG TAA Router, JG778A HP 6600 MCP-X2
Router TAA MPU,
H3C RT-SR6608-OVS-H3 (0235A32X), H3C RT-SR6604-OVS-H3 (0235A37X), H3C SR6616
Router Chassis (0235A41D)
N/A
5920 Switch Series
Fix in Progress, Use Mitigation
JG296A HP 5920AF-24XG Switch, JG555A HP 5920AF-24XG TAA Switch
N/A
N/A
5900 Switch Series
Fix in Progress, Use Mitigation
JC772A HP 5900AF-48XG-4QSFP+ Switch, JG336A HP 5900AF-48XGT-4QSFP+ Switch,
JG510A HP 5900AF-48G-4XG-2QSFP+ Switch, JG554A HP 5900AF-48XG-4QSFP+ TAA
Switch, JG838A HP FF 5900CP-48XG-4QSFP+ Switch
N/A
N/A
5830 Switch Series
Fix in Progress, Use Mitigation
JC691A HP A5830AF-48G Switch w/1 Interface Slot, JC694A HP A5830AF-96G
Switch, JG316A HP 5830AF-48G TAA Switch w/1 Intf Slot, JG374A HP 5830AF-96G
TAA Switch
N/A
N/A
5820 Switch Series
Fix in Progress, Use Mitigation
JC102A HP 5820-24XG-SFP+ Switch, JC106A HP 5820-14XG-SFP+ Switch with 2
Slots, JG219A HP 5820AF-24XG Switch, JG243A HP 5820-24XG-SFP+ TAA-compliant
Switch, JG259A HP 5820X-14XG-SFP+ TAA Switch w 2 Slots
H3C S5820X-28C 14 port (SFP Plus ) Plus 4-port BT (RJ45) Plus 2 media
modules Plus OSM (0235A37L), H3C S5820X-28S 24-port 10GBASE-X (SFP Plus )
Plus 4-port 10/100/1000BASE-T (RJ45) (0235A370)
N/A
5800 Switch Series
Fix in Progress, Use Mitigation
JC099A HP 5800-24G-PoE Switch, JC100A HP 5800-24G Switch, JC101A HP 5800-48G
Switch with 2 Slots, JC103A HP 5800-24G-SFP Switch, JC104A HP 5800-48G-PoE
Switch, JC105A HP 5800-48G Switch, JG225A HP 5800AF-48G Switch, JG242A HP
5800-48G-PoE+ TAA Switch w 2 Slots, JG254A HP 5800-24G-PoE+ TAA-compliant
Switch, JG255A HP 5800-24G TAA-compliant Switch, JG256A HP 5800-24G-SFP TAA
Switch w 1 Intf Slt, JG257A HP 5800-48G-PoE+ TAA Switch with 1 Slot, JG258A
HP 5800-48G TAA Switch w 1 Intf Slot
H3C S5800-32C - 24-port 1BT Plus 4-port (SFP Plus ) Plus 1 media slot
(0235A36U), H3C S5800-32C-PWR - 24-port 10/100/1000BASE-T (RJ45) Plus 4-port
10GBASE-X (SFP Plus ) Plus 1 media module PoE (0235A36S), H3C S5800-32F
24-port 1000BASE-X (SFP) Plus 4-port 10GBASE-X (SFP Plus ) Plus media module
(no power) (0235A374), H3C S5800-56C 48-port 10/100/1000BASE-T (RJ45) Plus
4port 10GBASE-X (SFP Plus ) Plus media module (0235A379), H3C S5800-56C-PWR
48-port BT Plus 4 port (SFP Plus ) Plus media module (0235A378), H3C
S5800-60C-PWR 48-port BT Plus 4-port SFP Plus 2 media modules Plus OSM
(0235A36W)
N/A
5500 HI Switch Series
R5501P06
JG311A HP HI 5500-24G-4SFP w/2 Intf Slts Switch, JG312A HP HI 5500-48G-4SFP
w/2 Intf Slts Switch, JG541A HP 5500-24G-PoE+-4SFP HI Switch w/2 Slt, JG542A
HP 5500-48G-PoE+-4SFP HI Switch w/2 Slt, JG543A HP 5500-24G-SFP HI Switch w/2
Intf Slt, JG679A HP 5500-24G-PoE+-4SFP HI TAA Swch w/2Slt, JG680A HP
5500-48G-PoE+-4SFP HI TAA Swch w/2Slt, JG681A HP 5500-24G-SFP HI TAA Swch
w/2Slt
N/A
N/A
5500 EI Switch Series
R2221P08
JD373A HP 5500-24G DC EI Switch, JD374A HP 5500-24G-SFP EI Switch, JD375A HP
5500-48G EI Switch, JD376A HP 5500-48G-PoE EI Switch, JD377A HP 5500-24G EI
Switch, JD378A HP 5500-24G-PoE EI Switch, JD379A HP 5500-24G-SFP DC EI
Switch, JG240A HP 5500-48G-PoE+ EI Switch w/2 Intf Slts, JG241A HP
5500-24G-PoE+ EI Switch w/2 Intf Slts, JG249A HP 5500-24G-SFP EI TAA Switch w
2 Slts, JG250A HP 5500-24G EI TAA Switch w 2 Intf Slts, JG251A HP 5500-48G EI
TAA Switch w 2 Intf Slts, JG252A HP 5500-24G-PoE+ EI TAA Switch w/2 Slts,
JG253A HP 5500-48G-PoE+ EI TAA Switch w/2 Slts
H3C S5500-28C-EI Ethernet Switch (0235A253), H3C S5500-28F-EI Eth Switch AC
Single (0235A24U), H3C S5500-52C-EI Ethernet Switch (0235A24X), H3C
S5500-28C-EI-DC Ethernet Switch (0235A24S), H3C S5500-28C-PWR-EI Ethernet
Switch (0235A255), H3C S5500-28F-EI Eth Swtch DC Single Pwr (0235A259), H3C
S5500-52C-PWR-EI Ethernet Switch (0235A251)
N/A
5500 SI Switch Series
R2221P08
JD369A HP 5500-24G SI Switch, JD370A HP 5500-48G SI Switch, JD371A HP
5500-24G-PoE SI Switch, JD372A HP 5500-48G-PoE SI Switch, JG238A HP
5500-24G-PoE+ SI Switch w/2 Intf Slts, JG239A HP 5500-48G-PoE+ SI Switch w/2
Intf Slts
H3C S5500-28C-SI Ethernet Switch (0235A04U), H3C S5500-52C-SI Ethernet
Switch (0235A04V), H3C S5500-28C-PWR-SI Ethernet Switch (0235A05H), H3C
S5500-52C-PWR-SI Ethernet Switch (0235A05J)
N/A
5130 EI switch Series
Fix in Progress, Use Mitigation
JG932A HP 5130-24G-4SFP+ EI Switch, JG933A HP 5130-24G-SFP-4SFP+ EI Switch,
JG934A HP 5130-48G-4SFP+ EI Switch, JG936A HP 5130-24G-PoE+-4SFP+ EI Swch,
JG937A HP 5130-48G-PoE+-4SFP+ EI Swch, JG975A HP 5130-24G-4SFP+ EI BR Switch,
JG976A HP 5130-48G-4SFP+ EI BR Switch, JG977A HP 5130-24G-PoE+-4SFP+ EI BR
Swch, JG978A HP 5130-48G-PoE+-4SFP+ EI BR Swch
5120 EI Switch Series
R2221P08
JE066A HP 5120-24G EI Switch, JE067A HP 5120-48G EI Switch, JE068A HP
5120-24G EI Switch with 2 Slots, JE069A HP 5120-48G EI Switch with 2 Slots,
JE070A HP 5120-24G-PoE EI Switch with 2 Slots, JE071A HP 5120-48G-PoE EI
Switch with 2 Slots, JG236A HP 5120-24G-PoE+ EI Switch w/2 Intf Slts, JG237A
HP 5120-48G-PoE+ EI Switch w/2 Intf Slts, JG245A HP 5120-24G EI TAA Switch w
2 Intf Slts, JG246A HP 5120-48G EI TAA Switch w 2 Intf Slts, JG247A HP
5120-24G-PoE+ EI TAA Switch w 2 Slts, JG248A HP 5120-48G-PoE+ EI TAA Switch w
2 Slts
H3C S5120-24P-EI 24GE Plus 4ComboSFP (0235A0BQ), H3C S5120-28C-EI 24GE Plus
4Combo Plus 2Slt (0235A0BS), H3C S5120-48P-EI 48GE Plus 4ComboSFP (0235A0BR),
H3C S5120-52C-EI 48GE Plus 4Combo Plus 2Slt (0235A0BT), H3C S5120-28C-PWR-EI
24G Plus 4C Plus 2S Plus POE (0235A0BU), H3C S5120-52C-PWR-EI 48G Plus 4C
Plus 2S Plus POE (0235A0BV)
5120 SI switch Series
Fix in Progress, Use Mitigation
JE072A HP 5120-48G SI Switch, JE073A HP 5120-16G SI Switch, JE074A HP
5120-24G SI Switch, JG091A HP 5120-24G-PoE+ (370W) SI Switch, JG092A HP
5120-24G-PoE+ (170W) SI Switch
H3C S5120-52P-SI 48GE Plus 4 SFP (0235A41W), H3C S5120-20P-SI L2, 16GE Plus
4SFP (0235A42B), H3C S5120-28P-SI 24GE Plus 4 SFP (0235A42D), H3C
S5120-28P-HPWR-SI (0235A0E5), H3C S5120-28P-PWR-SI (0235A0E3)
4800 G Switch Series
R2221P08
JD007A HP 4800-24G Switch, JD008A HP 4800-24G-PoE Switch, JD009A HP
4800-24G-SFP Switch, JD010A HP 4800-48G Switch, JD011A HP 4800-48G-PoE Switch
N/A
3Com Switch 4800G 24-Port (3CRS48G-24-91), 3Com Switch 4800G 24-Port SFP
(3CRS48G-24S-91), 3Com Switch 4800G 48-Port (3CRS48G-48-91), 3Com Switch
4800G PWR 24-Port (3CRS48G-24P-91), 3Com Switch 4800G PWR 48-Port
(3CRS48G-48P-91)
4510G Switch Series
R2221P08
JF428A HP 4510-48G Switch, JF847A HP 4510-24G Switch
N/A
3Com Switch 4510G 48 Port (3CRS45G-48-91), 3Com Switch 4510G PWR 24-Port
(3CRS45G-24P-91), 3Com Switch E4510-24G (3CRS45G-24-91)
4210G Switch Series
R2221P08
JF844A HP 4210-24G Switch, JF845A HP 4210-48G Switch, JF846A HP 4210-24G-PoE
Switch
N/A
3Com Switch 4210-24G (3CRS42G-24-91), 3Com Switch 4210-48G (3CRS42G-48-91),
3Com Switch E4210-24G-PoE (3CRS42G-24P-91)
3610 Switch Series
Fix in Progress, Use Mitigation
JD335A HP 3610-48 Switch, JD336A HP 3610-24-4G-SFP Switch, JD337A HP
3610-24-2G-2G-SFP Switch, JD338A HP 3610-24-SFP Switch
H3C S3610-52P - model LS-3610-52P-OVS (0235A22C), H3C S3610-28P - model
LS-3610-28P-OVS (0235A22D), H3C S3610-28TP - model LS-3610-28TP-OVS
(0235A22E), H3C S3610-28F - model LS-3610-28F-OVS (0235A22F)
N/A
3600 V2 Switch Series
R2110P03
JG299A HP 3600-24 v2 EI Switch, JG300A HP 3600-48 v2 EI Switch, JG301A HP
3600-24-PoE+ v2 EI Switch, JG301B HP 3600-24-PoE+ v2 EI Switch, JG302A HP
3600-48-PoE+ v2 EI Switch, JG302B HP 3600-48-PoE+ v2 EI Switch, JG303A HP
3600-24-SFP v2 EI Switch, JG304A HP 3600-24 v2 SI Switch, JG305A HP 3600-48
v2 SI Switch, JG306A HP 3600-24-PoE+ v2 SI Switch, JG306B HP 3600-24-PoE+ v2
SI Switch, JG307A HP 3600-48-PoE+ v2 SI Switch, JG307B HP 3600-48-PoE+ v2 SI
Switch
N/A
N/A
3100V2
R5203P11
JD313B HP 3100-24-PoE v2 EI Switch, JD318B HP 3100-8 v2 EI Switch, JD319B HP
3100-16 v2 EI Switch, JD320B HP 3100-24 v2 EI Switch, JG221A HP 3100-8 v2 SI
Switch, JG222A HP 3100-16 v2 SI Switch, JG223A HP 3100-24 v2 SI Switch
N/A
N/A
3100V2-48
R2110P03
JG315A HP 3100-48 v2 Switch
N/A
N/A
1920
Fix in Progress, Use Mitigation
JG920A HP 1920-8G Switch, JG921A HP 1920-8G-PoE+ (65W) Switch, JG922A HP
1920-8G-PoE+ (180W) Switch, JG923A HP 1920-16G Switch, JG924A HP 1920-24G
Switch, JG925A HP 1920-24G-PoE+ (180W) Switch, JG926A HP 1920-24G-PoE+ (370W)
Switch, JG927A HP 1920-48G Switch
1910 R11
Fix in Progress, Use Mitigation
JG536A HP 1910-8 Switch, JG537A HP 1910-8 -PoE+ Switch, JG538A HP 1910-24
Switch, JG539A HP 1910-24-PoE+ Switch, JG540A HP 1910-48 Switch
N/A
N/A
1910 R15
Fix in Progress, Use Mitigation
JE005A HP 1910-16G Switch, JE006A HP 1910-24G Switch, JE007A HP 1910-24G-PoE
(365W) Switch, JE008A HP 1910-24G-PoE(170W) Switch, JE009A HP 1910-48G
Switch, JG348A HP 1910-8G Switch, JG349A HP 1910-8G-PoE+ (65W) Switch, JG350A
HP 1910-8G-PoE+ (180W) Switch
N/A
N/A
1620
Fix in Progress, Use Mitigation
JG912A HP 1620-8G Switch, JG913A HP 1620-24G Switch, JG914A HP 1620-48G
Switch
N/A
N/A
MSR20-1X
Fix in Progress, Use Mitigation
JD431A HP MSR20-10 Router, JD667A HP MSR20-15 IW Multi-Service Router,
JD668A HP MSR20-13 Multi-Service Router, JD669A HP MSR20-13 W Multi-Service
Router, JD670A HP MSR20-15 A Multi-Service Router, JD671A HP MSR20-15 AW
Multi-Service Router, JD672A HP MSR20-15 I Multi-Service Router, JD673A HP
MSR20-11 Multi-Service Router, JD674A HP MSR20-12 Multi-Service Router,
JD675A HP MSR20-12 W Multi-Service Router, JD676A HP MSR20-12 T1
Multi-Service Router, JF236A HP MSR20-15-I Router,JF237A HP MSR20-15-A
Router, JF238A HP MSR20-15-I-W Router,JF239A HP MSR20-11 Router, JF240A HP
MSR20-13 Router,JF241A HP MSR20-12 Router, JF806A HP MSR20-12-T Router,JF807A
HP MSR20-12-W Router, JF808A HP MSR20-13-W Router,JF809A HP MSR20-15-A-W
Router, JF817A HP MSR20-15 Router,JG209A HP MSR20-12-T-W Router (NA), JG210A
HP MSR20-13-W Router (NA)
H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW 1 ADSLoPOTS 1 DSIC (0235A0A8), H3C
MSR 20-10 (0235A0A7),H3C RT-MSR2011-AC-OVS-H3 (0235A395), H3C
RT-MSR2012-AC-OVS-H3 (0235A396),H3C RT-MSR2012-AC-OVS-W-H3 (0235A397), H3C
RT-MSR2012-T-AC-OVS-H3 (0235A398),H3C RT-MSR2013-AC-OVS-H3 (0235A390), H3C
RT-MSR2013-AC-OVS-W-H3 (0235A391),H3C RT-MSR2015-AC-OVS-A-H3 (0235A392), H3C
RT-MSR2015-AC-OVS-AW-H3 (0235A393),H3C RT-MSR2015-AC-OVS-I-H3 (0235A394), H3C
RT-MSR2015-AC-OVS-IW-H3 (0235A38V),H3C MSR 20-11 (0235A31V), H3C MSR 20-12
(0235A32E),H3C MSR 20-12 T1 (0235A32B),H3C MSR 20-13 (0235A31W) , H3C MSR
20-13 W (0235A31X),H3C MSR 20-15 A (0235A31Q), H3C MSR 20-15 A W
(0235A31R),H3C MSR 20-15 I (0235A31N), H3C MSR 20-15 IW (0235A31P),H3C
MSR20-12 W (0235A32G)
N/A
MSR30
Fix in Progress, Use Mitigation
JD654A HP MSR30-60 POE Multi-Service Router, JD657A HP MSR30-40
Multi-Service Router, JD658A HP MSR30-60 Multi-Service Router, JD660A HP
MSR30-20 POE Multi-Service Router, JD661A HP MSR30-40 POE Multi-Service
Router, JD666A HP MSR30-20 Multi-Service Router, JF229A HP MSR30-40
Router,JF230A HP MSR30-60 Router, JF232A HP RT-MSR3040-AC-OVS-AS-H3, JF235A
HP MSR30-20 DC Router,JF284A HP MSR30-20 Router, JF287A HP MSR30-40 DC
Router,JF801A HP MSR30-60 DC Router, JF802A HP MSR30-20 PoE Router,JF803A HP
MSR30-40 PoE Router, JF804A HP MSR30-60 PoE Router
H3C MSR 30-20 Router (0235A328),H3C MSR 30-40 Router Host(DC) (0235A268),
H3C RT-MSR3020-AC-POE-OVS-H3 (0235A322),H3C RT-MSR3020-DC-OVS-H3 (0235A267),
H3C RT-MSR3040-AC-OVS-H (0235A299),H3C RT-MSR3040-AC-POE-OVS-H3 (0235A323),
H3C RT-MSR3060-AC-OVS-H3 (0235A320),H3C RT-MSR3060-AC-POE-OVS-H3 (0235A296),
H3C RT-MSR3060-DC-OVS-H3 (0235A269),H3C MSR 30-20 RTVZ33020AS Router Host(AC)
(0235A20S), H3C MSR 30-20 (0235A19L),H3C MSR 30-20 POE (0235A239), H3C MSR
30-40 (0235A20J),H3C MSR 30-40 POE (0235A25R), H3C MSR 30-60 (0235A20K),H3C
MSR 30-60 POE (0235A25S), H3C RT-MSR3040-AC-OVS-AS-H3 (0235A20V)
N/A
MSR30-16
Fix in Progress, Use Mitigation
JD659A HP MSR30-16 POE Multi-Service Router, JD665A HP MSR30-16
Multi-Service Router, JF233A HP MSR30-16 Router, JF234A HP MSR30-16 PoE
Router
H3C RT-MSR3016-AC-OVS-H3 (0235A327), H3C RT-MSR3016-AC-POE-OVS-H3
(0235A321), H3C MSR 30-16 (0235A237), H3C MSR 30-16 POE (0235A238)
N/A
MSR30-1X
Fix in Progress, Use Mitigation
JF800A HP MSR30-11 Router, JF816A HP MSR30-10 2 FE /2 SIC /1 MIM MS Rtr,
JG182A HP MSR30-11E Router, JG183A HP MSR30-11F Router, JG184A HP MSR30-10 DC
Router
H3C MSR 30-10 Router Host(AC) 2FE 2SIC 1XMIM 256DDR (0235A39H), H3C
RT-MSR3011-AC-OVS-H3 (0235A29L)
N/A
MSR50
Fix in Progress, Use Mitigation
JD433A HP MSR50-40 Router, JD653A HP MSR50 Processor Module, JD655A HP
MSR50-40 Multi-Service Router, JD656A HP MSR50-60 Multi-Service Router,
JF231A HP MSR50-60 Router, JF285A HP MSR50-40 DC Router, JF640A HP MSR50-60
Rtr Chassis w DC PwrSupply
H3C MSR 50-40 Router (0235A297), H3C MSR5040-DC-OVS-H3C (0235A20P), H3C
RT-MSR5060-AC-OVS-H3 (0235A298), H3C MSR 50-40 Chassis (0235A20N), H3C MSR
50-60 Chassis (0235A20L)
N/A
MSR50-G2
Fix in Progress, Use Mitigation
JD429A HP MSR50 G2 Processor Module, JD429B HP MSR50 G2 Processor Module
H3C H3C MSR 50 Processor Module-G2 (0231A84Q), H3C MSR 50 High Performance
Main Processing Unit 3GE (Combo) 256F/1GD(0231A0KL)
N/A
MSR20 Russian version
Fix in Progress, Use Mitigation
JD663B HP MSR20-21 Router, JF228A HP MSR20-40 Router, JF283A HP MSR20-20
Router
H3C RT-MSR2020-AC-OVS-H3C (0235A324), H3C RT-MSR2040-AC-OVS-H3 (0235A326)
N/A
MSR20-1X Russian version
Fix in Progress, Use Mitigation
JD431A HP MSR20-10 Router, JF236A HP MSR20-15-I Router, JF237A HP MSR20-15-A
Router, JF238A HP MSR20-15-I-W Router, JF239A HP MSR20-11 Router, JF240A HP
MSR20-13 Router, JF241A HP MSR20-12 Router, JF806A HP MSR20-12-T Router,
JF807A HP MSR20-12-W Router, JF808A HP MSR20-13-W Router, JF809A HP
MSR20-15-A-W Router, JF817A HP MSR20-15 Router
H3C MSR 20-10 (0235A0A7), H3C RT-MSR2015-AC-OVS-I-H3 (0235A394), H3C
RT-MSR2015-AC-OVS-A-H3 (0235A392), H3C RT-MSR2015-AC-OVS-AW-H3 (0235A393),
H3C RT-MSR2011-AC-OVS-H3 (0235A395),H3C RT-MSR2013-AC-OVS-H3 (0235A390), H3C
RT-MSR2012-AC-OVS-H3 (0235A396), H3C RT-MSR2012-T-AC-OVS-H3 (0235A398), H3C
RT-MSR2012-AC-OVS-W-H3 (0235A397), H3C RT-MSR2013-AC-OVS-W-H3 (0235A391), H3C
RT-MSR2015-AC-OVS-IW-H3 (0235A38V), H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW
1 ADSLoPOTS 1 DSIC (0235A0A8)
N/A
MSR30 Russian version
Fix in Progress, Use Mitigation
JF229A HP MSR30-40 Router, JF230A HP MSR30-60 Router, JF235A HP MSR30-20 DC
Router, JF284A HP MSR30-20 Router, JF287A HP MSR30-40 DC Router, JF801A HP
MSR30-60 DC Router, JF802A HP MSR30-20 PoE Router, JF803A HP MSR30-40 PoE
Router, JF804A HP MSR30-60 PoE Router
H3C RT-MSR3040-AC-OVS-H (0235A299), H3C RT-MSR3060-AC-OVS-H3 (0235A320), H3C
RT-MSR3020-DC-OVS-H3 (0235A267), H3C MSR 30-20 Router (0235A328), H3C MSR
30-40 Router Host(DC) (0235A268), H3C RT-MSR3060-DC-OVS-H3 (0235A269), H3C
RT-MSR3020-AC-POE-OVS-H3 (0235A322), H3C RT-MSR3040-AC-POE-OVS-H3 (0235A323),
H3C RT-MSR3060-AC-POE-OVS-H3 (0235A296)
N/A
MSR30-16 Russian version
Fix in Progress, Use Mitigation
JF233A HP MSR30-16 Router, JF234A HP MSR30-16 PoE Router
H3C RT-MSR3016-AC-OVS-H3 (0235A327), H3C RT-MSR3016-AC-POE-OVS-H3 (0235A321)
N/A
MSR30-1X Russian version
Fix in Progress, Use Mitigation
JF800A HP MSR30-11 Router, JF816A HP MSR30-10 2 FE /2 SIC /1 MIM MS Rtr,
JG182A HP MSR30-11E Router, JG183A HP MSR30-11F Router, JG184A HP MSR30-10 DC
Router
H3C RT-MSR3011-AC-OVS-H3 (0235A29L), H3C MSR 30-10 Router Host(AC) 2FE 2SIC
1XMIM 256DDR (0235A39H)
N/A
MSR50 Russian version
Fix in Progress, Use Mitigation
JD433A HP MSR50-40 Router, JD653A HP MSR50 Processor Module, JD655A HP
MSR50-40 Multi-Service Router, JD656A HP MSR50-60 Multi-Service Router,
JF231A HP MSR50-60 Router, JF285A HP MSR50-40 DC Router, JF640A HP MSR50-60
Rtr Chassis w DC PwrSupply
H3C MSR 50-40 Router (0235A297), H3C MSR 50 Processor Module (0231A791), H3C
MSR 50-40 Chassis (0235A20N), H3C MSR 50-60 Chassis (0235A20L), H3C
RT-MSR5060-AC-OVS-H3 (0235A298), H3C MSR5040-DC-OVS-H3C (0235A20P)
N/A
MSR50 G2 Russian version
Fix in Progress, Use Mitigation
JD429B HP MSR50 G2 Processor Module
H3C MSR 50 High Performance Main Processing Unit 3GE (Combo) 256F/1GD
(0231A0KL)
N/A
MSR9XX
Fix in Progress, Use Mitigation
JF812A HP MSR900 Router, JF813A HP MSR920 Router, JF814A HP MSR900-W Router,
JF815A HP MSR920 2FEWAN/8FELAN/.11b/g Rtr, JG207A HP MSR900-W Router (NA),
JG208A HP MSR920-W Router (NA)
H3C MSR 900 Router with 802.11b/g 2 FE WAN 4 FE LAN 256DDR 802.11b
(0235A0C2), H3C MSR 900 Router 2 FE WAN 4 FE LAN 256DDR (0235A0BX), H3C MSR
920 Router with 802.11b/g 2 FE WAN 8 FE LAN 256DDR (0235A0C4), H3C MSR 920
Router 2 FE WAN 8 FE LAN 256DDR (0235A0C0)
N/A
MSR93X
Fix in Progress, Use Mitigation
JG512A HP MSR930 Wireless Router , JG513A HP MSR930 3G Router, JG514A HP
MSR931 Router, JG515A HP MSR931 3G Router, JG516A HP MSR933 Router, JG517A HP
MSR933 3G Router, JG518A HP MSR935 Router, JG519A HP MSR935 Wireless Router,
JG520A HP MSR935 3G Router, JG531A HP MSR931 Dual 3G Router, JG596A HP MSR930
4G LTE/3G CDMA Router, JG597A HP MSR936 Wireless Router, JG665A HP MSR930 4G
LTE/3G WCDMA Global Router, JG704A HP MSR930 4G LTE/3G WCDMA ATT Router
N/A
N/A
MSR1000
Fix in Progress, Use Mitigation
JG732A HP MSR1003-8 AC Router
N/A
N/A
MSR1000 Russian version
Fix in Progress, Use Mitigation
JG732A HP MSR1003-8 AC Router
N/A
N/A
MSR2000
Fix in Progress, Use Mitigation
JG411A HP MSR2003 AC Router
N/A
N/A
MSR3000
Fix in Progress, Use Mitigation
JG404A HP MSR3064 Router, JG405A HP MSR3044 Router, JG406A HP MSR3024 AC
Router, JG409A HP MSR3012 AC Router, JG861A HP MSR3024 TAA-compliant AC
Router
N/A
N/A
MSR4000
Fix in Progress, Use Mitigation
JG402A HP MSR4080 Router Chassis, JG403A HP MSR4060 Router Chassis, JG412A
HP MSR4000 MPU-100 Main Processing Unit
N/A
N/A
F5000
Fix in Progress, Use Mitigation
JG216A HP F5000 Firewall Standalone Chassis, JD259A HP A5000-A5 VPN Firewall
Chassis
H3C SecPath F5000-A5 Host System (0150A0AG)
N/A
F5000 C
R3811P03
JG650A HP F5000-C VPN Firewall Appliance
N/A
N/A
F5000 S
R3811P03
JG370A HP F5000-S VPN Firewall Appliance
N/A
N/A
U200S and CS
Fix in Progress, Use Mitigation
JD268A HP 200-CS UTM Appliance, JD273A HP U200-S UTM Appliance
H3C SecPath U200-S (0235A36N)
N/A
U200A and M
Fix in Progress, Use Mitigation
JD274A HP 200-M UTM Appliance, JD275A HP U200-A UTM Appliance
H3C SecPath U200-A (0235A36Q)
N/A
SecBlade III
R3820P03
JG371A HP 12500 20Gbps VPN Firewall Module, JG372A HP 10500/11900/7500
20Gbps VPN FW Mod
N/A
N/A
SecBlade FW
R3181P05
JC635A HP 12500 VPN Firewall Module, JD245A HP 9500 VPN Firewall Module,
JD249A HP 10500/7500 Advanced VPN Firewall Mod, JD250A HP 6600 Firewall
Processing Rtr Module, JD251A HP 8800 Firewall Processing Module, JD255A HP
5820 VPN Firewall Module
H3C S9500E SecBlade VPN Firewall Module (0231A0AV), H3C S7500E SecBlade VPN
Firewall Module (0231A832), H3C SR66 Gigabit Firewall Module (0231A88A), H3C
SR88 Firewall Processing Module (0231A88L), H3C S5820 SecBlade VPN Firewall
Module (0231A94J)
N/A
F1000E
R3181P05
JD272A HP F1000-E VPN Firewall Appliance
F1000-A
R3734P06
JG214A HP F1000-A-EI VPN Firewall Appliance
F1000-S
R3734P06
JG213A HP F1000-S-EI VPN Firewall Appliance
VSR1000
Fix in Progress, Use Mitigation
JG810AAE HP VSR1001 Virtual Services Router 60 Day Evaluation Software,
JG811AAE HP VSR1001 Comware 7 Virtual Services Router, JG812AAE HP VSR1004
Comware 7 Virtual Services Router, JG813AAE HP VSR1008 Comware 7 Virtual
Services Router
N/A
N/A
WX5002/5004
Fix in Progress, Use Mitigation
JD441A HP 5800 ACM for 64-256 APs, JD447B HP WX5002 Access Controller,
JD448A HP A-WX5004 Access Controller, JD448B HP WX5004 Access Controller,
JD469A HP A-WX5004 (3Com) Access Controller, JG261A HP 5800 Access Controller
OAA TAA Mod
N/A
N/A
HP 850/870
Fix in Progress, Use Mitigation
JG723A HP 870 Unified Wired-WLAN Appliance, JG725A HP 870 Unifd Wrd-WLAN TAA
Applnc, JG722A HP 850 Unified Wired-WLAN Appliance, JG724A HP 850 Unifd
Wrd-WLAN TAA Applnc
N/A
N/A
HP 830
Fix in Progress, Use Mitigation
JG640A HP 830 24P PoE+ Unifd Wired-WLAN Swch, JG641A HP 830 8P PoE+ Unifd
Wired-WLAN Swch, JG646A HP 830 24-Port PoE+ Wrd-WLAN TAA Switch, JG647A HP
830 8-Port PoE+ Wrd-WLAN TAA Switch
N/A
N/A
HP 6000
Fix in Progress, Use Mitigation
JG639A HP 10500/7500 20G Unified Wired-WLAN Mod, JG645A HP 10500/7500 20G
Unifd Wrd-WLAN TAA Mod
N/A
N/A
VCX
Fix in Progress, Use Mitigation
J9672A HP VCX V7205 Platform w/ DL360 G7 Srvr, J9668A HP VCX IPC V7005
Pltfrm w/ DL120 G6 Srvr, JC517A HP VCX V7205 Platform w/DL 360 G6 Server,
JE355A HP VCX V6000 Branch Platform 9.0, JC516A HP VCX V7005 Platform w/DL
120 G6 Server, JC518A HP VCX Connect 200 Primry 120 G6 Server, J9669A HP VCX
IPC V7310 Pltfrm w/ DL360 G7 Srvr, JE341A HP VCX Connect 100 Secondary,
JE252A HP VCX Connect Primary MIM Module, JE253A HP VCX Connect Secondary MIM
Module, JE254A HP VCX Branch MIM Module, JE355A HP VCX V6000 Branch Platform
9.0, JD028A HP MS30-40 RTR w/VCX + T1/FXO/FXS/Mod, JD023A HP MSR30-40 Router
with VCX MIM Module, JD024A HP MSR30-16 RTR w/VCX Ent Br Com MIM, JD025A HP
MSR30-16 RTR w/VCX + 4FXO/2FXS Mod, JD026A HP MSR30-16 RTR w/VCX + 8FXO/4FXS
Mod, JD027A HP MSR30-16 RTR w/VCX + 8BRI/4FXS Mod, JD029A HP MSR30-16 RTR
w/VCX + E1/4BRI/4FXS, JE340A HP VCX Connect 100 Pri Server 9.0, JE342A HP VCX
Connect 100 Sec Server 9.0
N/A
N/A
HISTORY
Version:1 (rev.1) - 18 February 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: NTP: Multiple vulnerabilities
Date: December 24, 2014
Bugs: #533076
ID: 201412-34
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in NTP, the worst of which
could result in remote execution of arbitrary code. The net-misc/ntp package contains the official reference
implementation by the NTP Project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-misc/ntp < 4.2.8 >= 4.2.8
Description
===========
Multiple vulnerabilities have been discovered in NTP. Please review the
CVE identifiers referenced below for details.
Resolution
==========
All NTP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.8"
References
==========
[ 1 ] CVE-2014-9293
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9293
[ 2 ] CVE-2014-9294
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9294
[ 3 ] CVE-2014-9295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9295
[ 4 ] CVE-2014-9296
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9296
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-34.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-202002-0749 | CVE-2014-9390 | Remote for multiple products Git Vulnerability to execute arbitrary command on server |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem. Remote for multiple products Git The server is vulnerable to the execution of arbitrary commands. ..(1) Negligible Unicode Code point, (2) git~1/config Expression, or (3) Cleverly crafted with mixed cases that are improperly processed on case-insensitive filesystems .git/config Arbitrary commands can be executed through the tree containing the files. Git is prone to a vulnerability that may allow attackers to overwrite arbitrary local files.
Successful exploits may allow an attacker to write arbitrary files in the context of the user running the affected application. libgit2 and so on are all products. libgit2 is a portable Git core development package implemented in C language. Apple Xcode, etc. are all products of Apple (Apple). Apple Xcode is an integrated development environment provided to developers, Matt Mackall Mercurial, etc. are all products of Matt Mackall (Matt Mackall) software developers. An input validation error vulnerability exists in several products. The vulnerability stems from the failure of the network system or product to properly validate the input data.
Background
==========
Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201612-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mercurial: Multiple vulnerabilities
Date: December 07, 2016
Bugs: #533008, #544332, #578546, #582238
ID: 201612-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Mercurial, the worst of
which could lead to the remote execution of arbitrary code.
Background
==========
Mercurial is a distributed source control management system.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/mercurial < 3.8.4 >= 3.8.4
Description
===========
Multiple vulnerabilities have been discovered in Mercurial. Please
review the CVE identifier and bug reports referenced for details.
Impact
======
A remote attacker could possibly execute arbitrary code with the
privileges of the process.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mercurial users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/mercurial-3.8.4"
References
==========
[ 1 ] CVE-2014-9390
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9390
[ 2 ] CVE-2014-9462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9462
[ 3 ] CVE-2016-3068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3068
[ 4 ] CVE-2016-3069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3069
[ 5 ] CVE-2016-3105
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3105
[ 6 ] CVE-2016-3630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3630
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201612-19
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:169
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : git
Date : March 30, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated git packages fix security vulnerability:
It was reported that git, when used as a client on a case-insensitive
filesystem, could allow the overwrite of the .git/config file when
the client performed a git pull. Because git permitted committing
.Git/config (or any case variation), on the pull this would replace the
user's .git/config. If this malicious config file contained defined
external commands (such as for invoking and editor or an external diff
utility) it could allow for the execution of arbitrary code with the
privileges of the user running the git client (CVE-2014-9390).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390
http://advisories.mageia.org/MGASA-2014-0546.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
ef3f480ca48a2a9611bd11fa8a045892 mbs2/x86_64/git-1.8.5.6-1.mbs2.x86_64.rpm
efd3deae08fd17b80008bd3dc881d1f7 mbs2/x86_64/git-arch-1.8.5.6-1.mbs2.x86_64.rpm
c60432719a43e70eb929c1c75c93fdda mbs2/x86_64/git-core-1.8.5.6-1.mbs2.x86_64.rpm
10fb62c0748447bd1b960789125e8d1b mbs2/x86_64/git-core-oldies-1.8.5.6-1.mbs2.x86_64.rpm
dafec670f61de3e9942a97377b604859 mbs2/x86_64/git-cvs-1.8.5.6-1.mbs2.x86_64.rpm
879edb749813e5e175e90c88d2188eb9 mbs2/x86_64/git-email-1.8.5.6-1.mbs2.x86_64.rpm
1261450cb657453cd10a055301e42e01 mbs2/x86_64/gitk-1.8.5.6-1.mbs2.x86_64.rpm
8b4e493293c55a955e439233ae55ec99 mbs2/x86_64/git-prompt-1.8.5.6-1.mbs2.x86_64.rpm
2a4694ce47fe835f532cd7acc734e7b3 mbs2/x86_64/git-svn-1.8.5.6-1.mbs2.x86_64.rpm
39c2ff102bf754a4ca9a6d9d70fbc79c mbs2/x86_64/gitview-1.8.5.6-1.mbs2.x86_64.rpm
35bb63e42cfe602a24ae790fe3ddbd54 mbs2/x86_64/gitweb-1.8.5.6-1.mbs2.x86_64.rpm
d464e9766d38928a7fe9510382356724 mbs2/x86_64/lib64git-devel-1.8.5.6-1.mbs2.x86_64.rpm
644c0f388c821f9192485494ac3199d5 mbs2/x86_64/perl-Git-1.8.5.6-1.mbs2.x86_64.rpm
261134d774a1b833817d8855214a9412 mbs2/SRPMS/git-1.8.5.6-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVGPUcmqjQ0CJFipgRAh4wAKDuznNiViTa2PaV8idvg0tSlPIzMACg7AqX
AknCsk/2slzIzxNpACLxeDI=
=Vdej
-----END PGP SIGNATURE-----
. Content-Disposition: inline
==========================================================================Ubuntu Security Notice USN-2470-1
January 14, 2015
git vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Git could be made to run programs as your login if it received specially
crafted changes from a remote repository.
Software Description:
- git: fast, scalable, distributed revision control system
Details:
Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain
filesystem paths. The
remote attacker would need write access to a Git repository that the victim
pulls from.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
git 1:2.1.0-1ubuntu0.1
Ubuntu 14.04 LTS:
git 1:1.9.1-1ubuntu0.1
Ubuntu 12.04 LTS:
git 1:1.7.9.5-1ubuntu0.1
After a standard system update you need to set the core.protectHFS and/or
core.protectNTFS Git configuration variables to "true" if you store Git trees
in HFS+ and/or NTFS filesystems. If you host Git trees, setting the
core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration
variables to "true" will cause your Git server to reject objects containing
malicious paths intended to overwrite the Git metadata.
References:
http://www.ubuntu.com/usn/usn-2470-1
CVE-2014-9390
Package Information:
https://launchpad.net/ubuntu/+source/git/1:2.1.0-1ubuntu0.1
https://launchpad.net/ubuntu/+source/git/1:1.9.1-1ubuntu0.1
https://launchpad.net/ubuntu/+source/git/1:1.7.9.5-1ubuntu0.1
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2015-03-09-4 Xcode 6.2
Xcode 6.2 is now available and addresses the following:
subversion
Available for: OS X Mavericks v10.9.4 or later
Impact: Multiple vulnerabilities in Apache Subversion
Description: Multiple vulnerabilities existed in Apache Subversion,
the most serious of which may have allowed an attacker with a
privileged position to spoof SSL servers via a crafted certificate.
These issues were addressed by updating Apache Subversion to version
1.7.19.
CVE-ID
CVE-2014-3522
CVE-2014-3528
CVE-2014-3580
CVE-2014-8108
Git
Available for: OS X Mavericks v10.9.4 or later
Impact: Synching with a malicious git repository may allow
unexpected files to be added to the .git folder
Description: The checks involved in disallowed paths did not account
for case insensitivity or unicode characters. This issue was
addressed by adding additional checks.
CVE-ID
CVE-2014-9390 : Matt Mackall of Mercurial and Augie Fackler of
Mercurial
Xcode 6.2 may be obtained from:
https://developer.apple.com/xcode/downloads/
To check that the Xcode has been updated:
* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "6.2"
| VAR-201510-0705 | CVE-2014-9750 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. ( Daemon crash ) There is a possibility of being put into a state. NTP is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ntp security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2231-04
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html
Issue date: 2015-11-19
CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750
CVE-2014-9751 CVE-2015-1798 CVE-2015-1799
CVE-2015-3405
=====================================================================
1. Summary:
Updated ntp packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd service truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. With this update, the maximum key
length has been changed to 32 bytes. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1207014)
* Previously, the ntp-keygen utility used the exponent of 3 when generating
RSA keys. Consequently, generating RSA keys failed when FIPS mode was
enabled. With this update, ntp-keygen has been modified to use the exponent
of 65537, and generating keys in FIPS mode now works as expected.
(BZ#1191116)
* The ntpd service dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). With this update, ntpd no longer checks the
source port number, and clients behind NAT are now able to correctly
synchronize with the server. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold. (BZ#1193154)
* Support for nanosecond resolution has been added to the Structural
Health Monitoring (SHM) reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as a time source to
synchronize the system clock, the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM protocol. The
nanosecond extension in the SHM protocol now allows sub-microsecond
synchronization of the system clock. (BZ#1117702)
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1117702 - SHM refclock doesn't support nanosecond resolution
1122012 - SHM refclock allows only two units with owner-only access
1171640 - NTP drops requests when sourceport is below 123
1180721 - ntp: mreadvar command crash in ntpq
1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1
1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated
1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration
1191122 - ntpd -x steps clock on leap second
1193154 - permit differential fwd/back threshold for step vs. slew [PATCH]
1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks
1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
aarch64:
ntp-4.2.6p5-22.el7.aarch64.rpm
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
ntpdate-4.2.6p5-22.el7.aarch64.rpm
ppc64:
ntp-4.2.6p5-22.el7.ppc64.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
ntpdate-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-4.2.6p5-22.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
ntpdate-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-4.2.6p5-22.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
ntpdate-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
sntp-4.2.6p5-22.el7.aarch64.rpm
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
sntp-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
sntp-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
sntp-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9297
https://access.redhat.com/security/cve/CVE-2014-9298
https://access.redhat.com/security/cve/CVE-2014-9750
https://access.redhat.com/security/cve/CVE-2014-9751
https://access.redhat.com/security/cve/CVE-2015-1798
https://access.redhat.com/security/cve/CVE-2015-1799
https://access.redhat.com/security/cve/CVE-2015-3405
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3
1hLTu5I/PUzWOnD8rRIlZQ==
=sWdG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted
package to cause ntpd to crash if:
* ntpd enabled remote configuration
* The attacker had the knowledge of the configuration password
* The attacker had access to a computer entrusted to perform remote
configuration
Note that remote configuration is disabled by default in NTP.
CVE-2015-5194
It was found that ntpd could crash due to an uninitialized
variable when processing malformed logconfig configuration
commands.
CVE-2015-5195
It was found that ntpd exits with a segmentation fault when a
statistics type that was not enabled during compilation (e.g.
timingstats) is referenced by the statistics or filegen
configuration command
CVE-2015-5219
It was discovered that sntp program would hang in an infinite loop
when a crafted NTP packet was received, related to the conversion
of the precision value in the packet to double.
CVE-2015-5300
It was found that ntpd did not correctly implement the -g option:
Normally, ntpd exits with a message to the system log if the offset
exceeds the panic threshold, which is 1000 s by default. This
option allows the time to be set to any value without restriction;
however, this can happen only once. If the threshold is exceeded
after that, ntpd will exit with a message to the system log. This
option can be used with the -q and -x options.
ntpd could actually step the clock multiple times by more than the
panic threshold if its clock discipline doesn't have enough time to
reach the sync state and stay there for at least one update. If a
man-in-the-middle attacker can control the NTP traffic since ntpd
was started (or maybe up to 15-30 minutes after that), they can
prevent the client from reaching the sync state and force it to step
its clock by any amount any number of times, which can be used by
attackers to expire certificates, etc.
This is contrary to what the documentation says. Normally, the
assumption is that an MITM attacker can step the clock more than the
panic threshold only once when ntpd starts and to make a larger
adjustment the attacker has to divide it into multiple smaller
steps, each taking 15 minutes, which is slow.
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
It was found that the fix for CVE-2014-9750 was incomplete: three
issues were found in the value length checks in ntp_crypto.c, where
a packet with particular autokey operations that contained malicious
data was not always being completely validated. Receipt of these
packets can cause ntpd to crash.
CVE-2015-7701
A memory leak flaw was found in ntpd's CRYPTO_ASSOC.
CVE-2015-7703
Miroslav Lichvar of Red Hat found that the :config command can be
used to set the pidfile and driftfile paths without any
restrictions. A remote attacker could use this flaw to overwrite a
file on the file system with a file containing the pid of the ntpd
process (immediately) or the current estimated drift of the system
clock (in hourly intervals). For example:
ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'
In Debian ntpd is configured to drop root privileges, which limits
the impact of this issue.
CVE-2015-7704
If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet
from the server to reduce its polling rate, it doesn't check if the
originate timestamp in the reply matches the transmit timestamp from
its request. An off-path attacker can send a crafted KoD packet to
the client, which will increase the client's polling interval to a
large value and effectively disable synchronization with the server.
CVE-2015-7850
An exploitable denial of service vulnerability exists in the remote
configuration functionality of the Network Time Protocol. A
specially crafted configuration file could cause an endless loop
resulting in a denial of service. An attacker could provide a the
malicious configuration file to trigger this vulnerability.
CVE-2015-7852
A potential off by one vulnerability exists in the cookedprint
functionality of ntpq. A specially crafted buffer could cause a
buffer overflow potentially resulting in null byte being written out
of bounds.
CVE-2015-7855
It was found that NTP's decodenetnum() would abort with an assertion
failure when processing a mode 6 or mode 7 packet containing an
unusually long data value where a network address was expected. This
could allow an authenticated attacker to crash ntpd.
CVE-2015-7871
An error handling logic error exists within ntpd that manifests due
to improper error condition handling associated with certain
crypto-NAK packets. An unauthenticated, off-path attacker can force
ntpd processes on targeted servers to peer with time sources of the
attacker's choosing by transmitting symmetric active crypto-NAK
packets to ntpd. This attack bypasses the authentication typically
required to establish a peer association and allows an attacker to
make arbitrary changes to system time.
For the oldstable distribution (wheezy), these problems have been fixed
in version 1:4.2.6.p5+dfsg-2+deb7u6.
For the stable distribution (jessie), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 1:4.2.8p4+dfsg-3.
For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.8p4+dfsg-3.
We recommend that you upgrade your ntp packages.
Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz: Upgraded.
In addition to bug fixes and enhancements, this release fixes
several low and medium severity vulnerabilities.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871
(* Security fix *)
+--------------------------+
Where to find the new packages:
+-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project! :-)
Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.
Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p4-i486-1_slack13.0.txz
Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.0.txz
Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p4-i486-1_slack13.1.txz
Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.1.txz
Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p4-i486-1_slack13.37.txz
Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.37.txz
Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p4-i486-1_slack14.0.txz
Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.0.txz
Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz
Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.1.txz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p4-i586-1.txz
Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p4-x86_64-1.txz
MD5 signatures:
+-------------+
Slackware 13.0 package:
21dd14178fea17a88c9326c8672ecefd ntp-4.2.8p4-i486-1_slack13.0.txz
Slackware x86_64 13.0 package:
8647479b2007b92ff8598184f2275263 ntp-4.2.8p4-x86_64-1_slack13.0.txz
Slackware 13.1 package:
e0f122e8e271dc84db06202c03cc0288 ntp-4.2.8p4-i486-1_slack13.1.txz
Slackware x86_64 13.1 package:
db0aff04b72b3d8c96ca8c8e1ed36c05 ntp-4.2.8p4-x86_64-1_slack13.1.txz
Slackware 13.37 package:
5914e43e886e5ff88fefd30083493e30 ntp-4.2.8p4-i486-1_slack13.37.txz
Slackware x86_64 13.37 package:
4335c3bf2ae24afc5ad734e8d80b3e94 ntp-4.2.8p4-x86_64-1_slack13.37.txz
Slackware 14.0 package:
39b05698797b638b67130e0b170e0a4b ntp-4.2.8p4-i486-1_slack14.0.txz
Slackware x86_64 14.0 package:
dcf4a56ba1d013ee1c9d0e624e158709 ntp-4.2.8p4-x86_64-1_slack14.0.txz
Slackware 14.1 package:
1fd3a7beaf23303e2c211af377662614 ntp-4.2.8p4-i486-1_slack14.1.txz
Slackware x86_64 14.1 package:
438c3185aa8ec20d1c2b5e51786e4d41 ntp-4.2.8p4-x86_64-1_slack14.1.txz
Slackware -current package:
81bfb2fed450cb26a51b5e1cee0d33ed n/ntp-4.2.8p4-i586-1.txz
Slackware x86_64 -current package:
8bae4ad633af40d4d54b7686e4b225f9 n/ntp-4.2.8p4-x86_64-1.txz
Installation instructions:
+------------------------+
Upgrade the package as root:
# upgradepkg ntp-4.2.8p4-i486-1_slack14.1.txz
Then, restart the NTP daemon:
# sh /etc/rc.d/rc.ntpd restart
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| To leave the slackware-security mailing list: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address
| VAR-201510-0706 | CVE-2014-9751 | NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated) |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client. Supplementary information : CWE Vulnerability type by CWE-17: Code ( code ) Has been identified. NTP is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and to perform unauthorized actions; this may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ntp security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2231-04
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2231.html
Issue date: 2015-11-19
CVE Names: CVE-2014-9297 CVE-2014-9298 CVE-2014-9750
CVE-2014-9751 CVE-2015-1798 CVE-2015-1799
CVE-2015-3405
=====================================================================
1. Summary:
Updated ntp packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64
3. Description:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.
It was found that because NTP's access control was based on a source IP
address, an attacker could bypass source IP restrictions and send
malicious control and configuration packets by spoofing ::1 addresses.
(CVE-2014-9298, CVE-2014-9751)
A denial of service flaw was found in the way NTP hosts that were peering
with each other authenticated themselves before updating their internal
state variables. An attacker could send packets to one peer host, which
could cascade to other peers, and stop the synchronization process among
the reached peers. (CVE-2015-1799)
A flaw was found in the way the ntp-keygen utility generated MD5 symmetric
keys on big-endian systems. An attacker could possibly use this flaw to
guess generated MD5 keys, which could then be used to spoof an NTP client
or server. (CVE-2015-3405)
A stack-based buffer overflow was found in the way the NTP autokey protocol
was implemented. (CVE-2014-9297, CVE-2014-9750)
It was found that ntpd did not check whether a Message Authentication Code
(MAC) was present in a received packet when ntpd was configured to use
symmetric cryptographic keys. A man-in-the-middle attacker could use this
flaw to send crafted packets that would be accepted by a client or a peer
without the attacker knowing the symmetric key. (CVE-2015-1798)
The CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav
Lichvár of Red Hat.
Bug fixes:
* The ntpd service truncated symmetric keys specified in the key file to 20
bytes. As a consequence, it was impossible to configure NTP authentication
to work with peers that use longer keys. With this update, the maximum key
length has been changed to 32 bytes. (BZ#1191111)
* The ntpd service could previously join multicast groups only when
starting, which caused problems if ntpd was started during system boot
before network was configured. With this update, ntpd attempts to join
multicast groups every time network configuration is changed. (BZ#1207014)
* Previously, the ntp-keygen utility used the exponent of 3 when generating
RSA keys. Consequently, generating RSA keys failed when FIPS mode was
enabled. With this update, ntp-keygen has been modified to use the exponent
of 65537, and generating keys in FIPS mode now works as expected.
(BZ#1191116)
* The ntpd service dropped incoming NTP packets if their source port was
lower than 123 (the NTP port). With this update, ntpd no longer checks the
source port number, and clients behind NAT are now able to correctly
synchronize with the server. (BZ#1171640)
Enhancements:
* This update adds support for configurable Differentiated Services Code
Points (DSCP) in NTP packets, simplifying configuration in large networks
where different NTP implementations or versions are using different DSCP
values. (BZ#1202828)
* This update adds the ability to configure separate clock stepping
thresholds for each direction (backward and forward). Use the "stepback"
and "stepfwd" options to configure each threshold. (BZ#1193154)
* Support for nanosecond resolution has been added to the Structural
Health Monitoring (SHM) reference clock. Prior to this update, when a
Precision Time Protocol (PTP) hardware clock was used as a time source to
synchronize the system clock, the accuracy of the synchronization was
limited due to the microsecond resolution of the SHM protocol. The
nanosecond extension in the SHM protocol now allows sub-microsecond
synchronization of the system clock. (BZ#1117702)
All ntp users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1117702 - SHM refclock doesn't support nanosecond resolution
1122012 - SHM refclock allows only two units with owner-only access
1171640 - NTP drops requests when sourceport is below 123
1180721 - ntp: mreadvar command crash in ntpq
1184572 - CVE-2014-9298 CVE-2014-9751 ntp: drop packets with source address ::1
1184573 - CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated
1191108 - ntpd should warn when monitoring facility can't be disabled due to restrict configuration
1191122 - ntpd -x steps clock on leap second
1193154 - permit differential fwd/back threshold for step vs. slew [PATCH]
1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto
1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks
1210324 - CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
aarch64:
ntp-4.2.6p5-22.el7.aarch64.rpm
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
ntpdate-4.2.6p5-22.el7.aarch64.rpm
ppc64:
ntp-4.2.6p5-22.el7.ppc64.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
ntpdate-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-4.2.6p5-22.el7.ppc64le.rpm
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
ntpdate-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-4.2.6p5-22.el7.s390x.rpm
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
ntpdate-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
ntp-debuginfo-4.2.6p5-22.el7.aarch64.rpm
sntp-4.2.6p5-22.el7.aarch64.rpm
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
ppc64:
ntp-debuginfo-4.2.6p5-22.el7.ppc64.rpm
sntp-4.2.6p5-22.el7.ppc64.rpm
ppc64le:
ntp-debuginfo-4.2.6p5-22.el7.ppc64le.rpm
sntp-4.2.6p5-22.el7.ppc64le.rpm
s390x:
ntp-debuginfo-4.2.6p5-22.el7.s390x.rpm
sntp-4.2.6p5-22.el7.s390x.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
ntp-4.2.6p5-22.el7.src.rpm
x86_64:
ntp-4.2.6p5-22.el7.x86_64.rpm
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
ntpdate-4.2.6p5-22.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
ntp-doc-4.2.6p5-22.el7.noarch.rpm
ntp-perl-4.2.6p5-22.el7.noarch.rpm
x86_64:
ntp-debuginfo-4.2.6p5-22.el7.x86_64.rpm
sntp-4.2.6p5-22.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-9297
https://access.redhat.com/security/cve/CVE-2014-9298
https://access.redhat.com/security/cve/CVE-2014-9750
https://access.redhat.com/security/cve/CVE-2014-9751
https://access.redhat.com/security/cve/CVE-2015-1798
https://access.redhat.com/security/cve/CVE-2015-1799
https://access.redhat.com/security/cve/CVE-2015-3405
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD4DBQFWTkFJXlSAg2UNWIIRAphzAKCRHDVdHI5OvJ8glkXYLBwyQgeyvwCYmTV3
1hLTu5I/PUzWOnD8rRIlZQ==
=sWdG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce. An attacker could use a specially crafted
package to cause ntpd to crash if:
* ntpd enabled remote configuration
* The attacker had the knowledge of the configuration password
* The attacker had access to a computer entrusted to perform remote
configuration
Note that remote configuration is disabled by default in NTP.
CVE-2015-5194
It was found that ntpd could crash due to an uninitialized
variable when processing malformed logconfig configuration
commands.
CVE-2015-5195
It was found that ntpd exits with a segmentation fault when a
statistics type that was not enabled during compilation (e.g.
timingstats) is referenced by the statistics or filegen
configuration command
CVE-2015-5219
It was discovered that sntp program would hang in an infinite loop
when a crafted NTP packet was received, related to the conversion
of the precision value in the packet to double.
CVE-2015-5300
It was found that ntpd did not correctly implement the -g option:
Normally, ntpd exits with a message to the system log if the offset
exceeds the panic threshold, which is 1000 s by default. This
option allows the time to be set to any value without restriction;
however, this can happen only once. If the threshold is exceeded
after that, ntpd will exit with a message to the system log. This
option can be used with the -q and -x options.
ntpd could actually step the clock multiple times by more than the
panic threshold if its clock discipline doesn't have enough time to
reach the sync state and stay there for at least one update. If a
man-in-the-middle attacker can control the NTP traffic since ntpd
was started (or maybe up to 15-30 minutes after that), they can
prevent the client from reaching the sync state and force it to step
its clock by any amount any number of times, which can be used by
attackers to expire certificates, etc.
This is contrary to what the documentation says. Normally, the
assumption is that an MITM attacker can step the clock more than the
panic threshold only once when ntpd starts and to make a larger
adjustment the attacker has to divide it into multiple smaller
steps, each taking 15 minutes, which is slow.
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
It was found that the fix for CVE-2014-9750 was incomplete: three
issues were found in the value length checks in ntp_crypto.c, where
a packet with particular autokey operations that contained malicious
data was not always being completely validated. Receipt of these
packets can cause ntpd to crash.
CVE-2015-7701
A memory leak flaw was found in ntpd's CRYPTO_ASSOC.
CVE-2015-7703
Miroslav Lichvar of Red Hat found that the :config command can be
used to set the pidfile and driftfile paths without any
restrictions. A remote attacker could use this flaw to overwrite a
file on the file system with a file containing the pid of the ntpd
process (immediately) or the current estimated drift of the system
clock (in hourly intervals). For example:
ntpq -c ':config pidfile /tmp/ntp.pid'
ntpq -c ':config driftfile /tmp/ntp.drift'
In Debian ntpd is configured to drop root privileges, which limits
the impact of this issue.
CVE-2015-7704
If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet
from the server to reduce its polling rate, it doesn't check if the
originate timestamp in the reply matches the transmit timestamp from
its request. An off-path attacker can send a crafted KoD packet to
the client, which will increase the client's polling interval to a
large value and effectively disable synchronization with the server.
CVE-2015-7850
An exploitable denial of service vulnerability exists in the remote
configuration functionality of the Network Time Protocol. A
specially crafted configuration file could cause an endless loop
resulting in a denial of service. An attacker could provide a the
malicious configuration file to trigger this vulnerability.
CVE-2015-7852
A potential off by one vulnerability exists in the cookedprint
functionality of ntpq. A specially crafted buffer could cause a
buffer overflow potentially resulting in null byte being written out
of bounds.
CVE-2015-7855
It was found that NTP's decodenetnum() would abort with an assertion
failure when processing a mode 6 or mode 7 packet containing an
unusually long data value where a network address was expected. This
could allow an authenticated attacker to crash ntpd.
CVE-2015-7871
An error handling logic error exists within ntpd that manifests due
to improper error condition handling associated with certain
crypto-NAK packets. An unauthenticated, off-path attacker can force
ntpd processes on targeted servers to peer with time sources of the
attacker's choosing by transmitting symmetric active crypto-NAK
packets to ntpd. This attack bypasses the authentication typically
required to establish a peer association and allows an attacker to
make arbitrary changes to system time.
For the oldstable distribution (wheezy), these problems have been fixed
in version 1:4.2.6.p5+dfsg-2+deb7u6.
For the stable distribution (jessie), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7+deb8u1.
For the testing distribution (stretch), these problems have been fixed
in version 1:4.2.8p4+dfsg-3.
For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.8p4+dfsg-3.
We recommend that you upgrade your ntp packages
| VAR-201412-0434 | CVE-2014-9223 | Allegro rompager buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors related to authorization. Allegro's RomPager is an embedded WEB service product, which is more used to provide WWW management capabilities for network printers, switches and other network devices.
Allegro RomPager is vulnerable to a buffer overflow because it fails to perform adequate boundary checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of an affected application. Failed exploit attempts will likely result in denial-of-service conditions.
Allegro RomPager 4.07 and prior to 4.34 are vulnerable
| VAR-201904-0511 | CVE-2014-5435 | Honeywell Experion PKS 'dual_onsrv.exe' Module Remote Code Execution Vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
An arbitrary memory write vulnerability exists in the dual_onsrv.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, that could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Or initiate a denial of service attack. Failed exploit attempts will result in a denial-of-service condition.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2
| VAR-201412-0413 | CVE-2014-9193 | Innominate mGuard In the firmware root Privileged vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting. mGuard is a product line of Innominate, including firewalls and VPN network security devices. Innominate mGuard is prone to a remote privilege-escalation vulnerability.
A remote attacker can exploit this issue to gain root privileges and execute arbitrary commands.
Innominate mGuard 8.1.3 and prior are vulnerable. A security vulnerability exists in Innominate mGuard using firmware versions prior to 7.6.6 and 8.x versions prior to 8.1.4
| VAR-201412-0586 | CVE-2014-7249 | Multiple Allied Telesis products vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 9924SP, CentreCOM 9924T/4SP, Rapier 48i, and SwitchBlade4000 with firmware before 2.9.1-21 allows remote attackers to execute arbitrary code via a crafted HTTP POST request. Allied Telesis AT-RG634A ADSL Broadband Router is an ADSL broadband router product from Allied Telesis. A buffer overflow vulnerability exists in multiple Allied Telesis products that use firmware version 2.9.1-21. Failed exploit attempts may result in a denial-of-service condition. The following products and versions are affected: Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT- 8748XL , AT-8848 , AT-9816GB , AT-9924T , AT-9924Ts , CentreCOM AR415S , CentreCOM AR450S , CentreCOM AR550S , CentreCOM AR570S , CentreCOM 8700SL , CentreCOM 8948XL , CentreCOM 9924SP , CentreCOM 9924T/4SP , Rapier 48i , SwitchBlade4000
| VAR-201412-0101 | CVE-2014-9406 | ARRIS Touchstone TG862G/CT Telephony Gateway Vulnerabilities in which access rights can be obtained in firmware |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php. ARRIS Touchstone TG862G/CT Telephony Gateway is a Modem (Modem) router integrated machine from Arris Group of the United States. Touchstone Tg862g%2Fct Firmware is prone to a remote security vulnerability. A remote attacker could exploit this vulnerability by sending a request to the home_loggedout.php script to gain access
| VAR-201903-0651 | CVE-2014-9187 | Honeywell Experion PKS Module buffer error vulnerability |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
Multiple heap-based buffer overflow vulnerabilities exist in Honeywell Experion PKS all versions prior to R400.6, all versions prior to R410.6, and all versions prior to R430.2 modules, which could lead to possible remote code execution or denial of service. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version. Honeywell Experion PKS The module contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Honeywell EPKS is used in the automation and control of industrial and production processes and is a distributed control system solution, including a web-based SCADA system. Honeywell Experion PKS has multiple remote heap buffer overflow vulnerabilities because it fails to perform sufficient boundary checking on user-supplied inputs. Allows an attacker to exploit a vulnerability to execute arbitrary code or initiate a denial of service attack in the context of the affected user's application.
The following versions are affected:
Honeywell Experion R40x versions prior to Experion PKS R400.6
Honeywell Experion R41x versions prior to Experion PKS R410.6
Honeywell Experion R43x versions prior to Experion PKS R430.2