NTP 'ntp _ io. c' authentication Security Restriction Bypass Vulnerability

NTP 'ntp _ io. c' authentication Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
NTP NTPd <= 4.2.7
Description:
Bugtraq id: 72584
CVE (CAN) ID: CVE-2014-9298

Network Time Protocol (NTP) is a Protocol used to synchronize computer Time. It can synchronize computers with their servers or clock sources (such as quartzels and GPS.

Ntpd 4.2.7 and earlier versions have multiple vulnerabilities. ntp-keygen earlier than version 4.2.7p230 uses a non-encrypted random number generator to generate symmetric keys. This can fool IPv6 address: 1 and cause attackers to bypass the: 1-based ACL. These vulnerabilities may affect ntpd used as servers or clients.

<* Source: Harlan Stenn

Link: https://www.kb.cert.org/vuls/id/852879
*>

Suggestion:
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Restricted status query
* Use firewall rules
* Disable Automatic Key Authentication

Vendor patch:

NTP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.ntp.org/downloads.html
Http://support.ntp.org/bin/view/Main/SecurityNotice
Http://lists.ntp.org/pipermail/announce/2014-December/000122.html
Http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
Http://www.ntp.org/downloads.html
Http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
Http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
Https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

CentOS NTP server installation and configuration

NTP servers in Linux

NTP client configurations for multiple operating systems

Build an enterprise-level NTP Time Server

Set up an ntp time synchronization server in Linux

Enable NTP time server in CentOS 6.3

This article permanently updates the link address: