CVE-2014-9750 — ntp - incomplete fix

Description

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.

How to fix CVE-2014-9750

To remediate CVE-2014-9750, upgrade the affected package to a fixed version below.

Debian/ntp—upgrade to 1:4.2.6.p5+dfsg-5 or later
Debian/ntp—upgrade to 1:4.2.6.p2+dfsg-1+deb6u2 or later
—upgrade to 1:4.2.6.p5+dfsg-2+deb7u2 or later
—upgrade to 1:4.2.6.p5+dfsg-2+deb7u3 or later

Is CVE-2014-9750 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1:4.2.6.p5+dfsg-5
from 0, < 1:4.2.6.p2+dfsg-1+deb6u2
from 0, < 1:4.2.6.p5+dfsg-2+deb7u2
from 0, < 1:4.2.6.p5+dfsg-2+deb7u3

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9750