Security Bulletin
Summary
There are multiple vulnerabilities in Network Time Protocol (NTP) Project NTP daemon (ntpd) that is used by Power Hardware Management Console
Vulnerability Details
CVE-ID: CVE-2014-9293
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99576 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9294
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99577 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9295
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by ntpd. By sending specially-crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99578 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2014-9296
DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by the continual execution of the receive function after detecting an error. By sending specially-crafted packets, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99579 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
Power HMC V7.7.3.0
Power HMC V7.7.7.0
Power HMC V7.7.8.0
Power HMC V7.7.9.0
Power HMC V8.8.1.0
Power HMC V8.8.2.0
Remediation/Fixes
Fixes are available for the the HMC versions mentioned below:
Product | VRMF | APAR | Remediation/First Fix |
Power HMC | V7.7.3.0 SP7 | MB03888 | Apply eFix MH01500 |
Power HMC | V7.7.7.0 SP4 | MB03889 | Apply eFix MH01501 |
Power HMC | V7.7.8.0 SP2 | MB03899 | Apply eFix MH01511 |
Power HMC | V7.7.9.0 SP1 | MB03900 | Apply eFix MH01512 |
Power HMC | V8.8.1.0 SP1 | MB03886 | Apply eFix MH01498 |
Power HMC | V8.8.2.0 | MB03837 | Apply service pack 1 (MH01455) |
Note:
1. After applying the PTF, you should restart the HMC.
2. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called "PERCS" and "IH". End Of Service date for managing all other server models was 2013.05.31.
3. CVE-2014-9296 affects only HMC V8.8.1.0 and V8.8.2.0. Other versions are not affected.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
17 March 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
22 September 2021
UID
nas8N1020645