6.8

CVE-2014-9751

The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address.

Data is provided by the National Vulnerability Database (NVD)
NtpNtp Version >= 4.2.0 < 4.2.8
   ApplemacOS Version-
   LinuxLinux Kernel Version-
NtpNtp Version4.2.8 Update-
   ApplemacOS Version-
   LinuxLinux Kernel Version-
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
OracleLinux Version7 Update-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 9.65% 0.926
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.kb.cert.org/vuls/id/852879
Third Party Advisory
US Government Resource
http://bugs.ntp.org/show_bug.cgi?id=2672
Patch
Vendor Advisory
Issue Tracking
http://www.securityfocus.com/bid/72584
Third Party Advisory
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1184572
Third Party Advisory
Issue Tracking