NTP 'ntp _ io. c' authentication Security Restriction Bypass Vulnerability
Release date:
Updated on:
Affected Systems:
NTP NTPd <= 4.2.7
Description:
Bugtraq id: 72584
CVE (CAN) ID: CVE-2014-9298
Network Time Protocol (NTP) is a Protocol used to synchronize computer Time. It can synchronize computers with their servers or clock sources (such as quartzels and GPS.
Ntpd 4.2.7 and earlier versions have multiple vulnerabilities. ntp-keygen earlier than version 4.2.7p230 uses a non-encrypted random number generator to generate symmetric keys. This can fool IPv6 address: 1 and cause attackers to bypass the: 1-based ACL. These vulnerabilities may affect ntpd used as servers or clients.
<* Source: Harlan Stenn
Link: https://www.kb.cert.org/vuls/id/852879
*>
Suggestion:
Temporary solution:
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
* Restricted status query
* Use firewall rules
* Disable Automatic Key Authentication
Vendor patch:
NTP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.ntp.org/downloads.html
Http://support.ntp.org/bin/view/Main/SecurityNotice
Http://lists.ntp.org/pipermail/announce/2014-December/000122.html
Http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
Http://www.ntp.org/downloads.html
Http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
Http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
Https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
CentOS NTP server installation and configuration
NTP servers in Linux
NTP client configurations for multiple operating systems
Build an enterprise-level NTP Time Server
Set up an ntp time synchronization server in Linux
Enable NTP time server in CentOS 6.3
This article permanently updates the link address: