Ntpd Vulnerability (CVE-2014-9297)

Ntpd Vulnerability (CVE-2014-9297)
Ntpd Vulnerability (CVE-2014-9297)

Release date:
Updated on:

Affected Systems:

NTP NTP 4.x

Description:

CVE (CAN) ID: CVE-2014-9297

Network Time Protocol (NTP) is a Protocol used to synchronize computer Time. It can synchronize computers with their servers or clock sources (such as quartzels and GPS.

Ntpd does not properly check for exceptions and does not correctly verify the length value in the extended field pointer, which may cause information leakage.

<* Source: Neel Mehta
Stephen Roettger

Link: https://www.kb.cert.org/vuls/id/852879
*>

Suggestion:

Vendor patch:

NTP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:


Http://support.ntp.org/bin/view/Main/SecurityNotice
Http://lists.ntp.org/pipermail/announce/2014-December/000122.html
Http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
Http://www.ntp.org/downloads.html
Http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
Http://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
Https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

CentOS NTP server installation and configuration

NTP servers in Linux

NTP client configurations for multiple operating systems

Build an enterprise-level NTP Time Server

Set up an ntp time synchronization server in Linux

Enable NTP time server in CentOS 6.3

This article permanently updates the link address: