CVE-2014-9295

Public on 2014-12-19
Modified on 2014-12-19
Description
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.
Severity
Important severity
Important
CVSS v3 Base Score
6.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 ntp 2014-12-19 ALAS-2014-462 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P