Updated 2015 January
Summary
Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code or create a denial of service (DoS) condition.
On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact. The vulnerabilities are referenced in this document as follows:
On December 19, 2014, NTP.org and US-CERT released security advisories detailing two issues regarding weak cryptographic pseudorandom number generation (PRNG), three buffer overflow vulnerabilities, and an unhandled error condition with an unknown impact. The vulnerabilities are referenced in this document as follows:
- CVE-2014-9293: Weak Default Key in config_auth()
- CVE-2014-9294: Noncryptographic Random Number Generator with Weak Seed Used by ntp-keygen to Generate Symmetric Keys
- CVE-2014-9295: Multiple Buffer Overflow Vulnerabilities in ntpd
- CVE-2014-9296: ntpd receive(): Missing Return on Error
This advisory will be updated as additional information becomes available.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities are available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
No comments:
Post a Comment