CVE-2014-9293

Description

The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

How to fix CVE-2014-9293

To remediate CVE-2014-9293, upgrade the affected package to a fixed version below.

• Debian/ntp—upgrade to 1:4.2.6.p5+dfsg-3.2 or later
• Debian/ntp—upgrade to 1:4.2.6.p2+dfsg-1+deb6u1 or later
• Debian/ntp—upgrade to 1:4.2.6.p5+dfsg-2+deb7u1 or later

Is CVE-2014-9293 being exploited?

Moderate — EPSS is 33.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

• from 0, < 1:4.2.6.p5+dfsg-3.2
• from 0, < 1:4.2.6.p2+dfsg-1+deb6u1
• from 0, < 1:4.2.6.p5+dfsg-2+deb7u1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9293