Security Bulletin
Summary
The IBM Smart Analytics System 7600, 7700, 7710 and IBM PureData System for Operational Analytics is affected by multiple vulnerabilities in Network Time Protocol.
Vulnerability Details
CVEID: CVE-2014-9293
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99576 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9294
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99577 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9295
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by ntpd. By sending specially-crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99578 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-9296
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by the continual execution of the receive function after detecting an error. By sending specially-crafted packets, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99579 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID: CVE-2014-9297
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100004 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9298
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to obtain sensitive information, caused by the improper validation of the length value in extension field pointers. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/100005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1799
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102052 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)
Affected Products and Versions
IBM Smart Analytics System 7600
IBM Smart Analytics System 7700
IBM Smart Analytics System 7710
IBM PureData System for Operational Analytics V1.0 (A1791)
IBM PureData System for Operational Analytics V1.1 (A1801)
Remediation/Fixes
For each affected component in the table, download the recommended fix, and install using the link in the Installation instructions column.
For more information about IBM IDs, see the Help and FAQ.
| IBM Smart Analytics System 7600 | |||
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM AIX NTPv3 | Install Interim Fix IV74261s5a.150714.epkg.Z | Security Bulletin: Vulnerability in NTPv3 affects AIX | |
| IBM Power Hardware Management Console (HMC) V7 R7.9.0 | Update to V7 R7.9.0 SP1 and install fix MH01512 | IBM Fix Central: MH01512 | Installing a IBM Hardware Management Console fix in an IBM Smart Analytics System or IBM PureData System for Operational Analytics environment |
| Juniper EX4200 | Update to 12.3R9 | Juniper EX4200: 12.3R9 | Upgrade and Downgrade Instructions for Junos OS Release 12.3 for EX Series Switches |
| IBM Smart Analytics System 7700 and 7710 | |||
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM AIX NTPv3 | Install Interim Fix IV74261s5a.150714.epkg.Z | Security Bulletin: Vulnerability in NTPv3 affects AIX | |
| IBM Power Hardware Management Console (HMC) V7 R7.9.0 | Update to V7 R7.9.0 SP1 and install fix MH01512 | IBM Fix Central: MH01512 | Installing a IBM Hardware Management Console fix in an IBM Smart Analytics System or IBM PureData System for Operational Analytics environment |
| Juniper EX4200 and EX4500 Switches | Update to 12.3R9 | Juniper EX4200: 12.3R9 Juniper EX4500: 12.3R9 | Upgrade and Downgrade Instructions for Junos OS Release 12.3 for EX Series Switches |
| IBM PureData System for Operational Analytics V1.0 (A1791) and V1.1 (A1801) | |||
| Affected Component | Recommended Fix | Download Link | Installation Instructions |
| IBM AIX NTPv3 | Install Interim Fix IV74261s5a.150714.epkg.Z | Security Bulletin: Vulnerability in NTPv3 affects AIX | |
| IBM Power Hardware Management Console (HMC) V8 R8.1.0 | Update to V8 R8.1.0 SP2 and install fix MH01550 | IBM Fix Central: MH01550 | Installing a IBM Hardware Management Console fix in an IBM Smart Analytics System or IBM PureData System for Operational Analytics environment |
For assistance, contact IBM Support:
- In the United States and Canada dial 1-800-IBM-SERV
- View the support contacts for other countries outside of the United States.
- Electronically open a Service Request with IBM Support.
Get Notified about Future Security Bulletins
References
Change History
October 20, 2015: Original version published.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
2589
CVEID: CVE-2014-9293
CVEID: CVE-2014-9294
CVEID: CVE-2014-9295
CVEID: CVE-2014-9296
HMC all
https://www-304.ibm.com/support/docview.wss?uid=nas8N1020645
AIX only 3, 4, 5
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory2.asc
Juniper only 9295
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10663&actp=search&viewlocale=en_US&searchid=1440083464392
SLES only 3 , 4, 5
2672
CVEID: CVE-2014-9297
CVEID: CVE-2014-9298
HMC both but only hmc 8
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020857
SLES both
3009
CVE-2015-1799
CVE-2015-1798
AIX the 99 only
http://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc
SLES 99 only
Was this topic helpful?
Document Information
Modified date:
17 October 2019
UID
swg21966675