Описание
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests.
Меры по смягчению последствий
Issue these commands to explicitly generate a strong key and add it to the ntpd configuration: echo trustedkey 65535 >> /etc/ntp.conf printf "65535\tM\t%s\n" $(tr -cd a-zA-Z0-9 < /dev/urandom | head -c 16) >> /etc/ntp/keys The generated key has about 95 bits of entropy.
Дополнительная информация
Статус:
EPSS
4 Medium
CVSS2
Связанные уязвимости
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth ...
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
Уязвимость микропрограммного обеспечения системы коммуникаций Cisco Unified Communications Manager, позволяющая удаленному злоумышленнику обойти механизм защиты устройства
EPSS
4 Medium
CVSS2