ALAS-2014-462 ---- ntpID: oval:org.secpod.oval:def:1600026 | Date: (C)2016-01-19 (M)2023-12-07 |
Class: PATCH | Family: unix |
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys(CVE-2014-9294 (((((((CVE-2014-9295 ((CVE-2014-9296
Platform: |
Amazon Linux AMI |