CVE-2014-9293
Description
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NTP before 4.2.7p11 generates a weak default key when no auth key is configured, allowing remote attackers to brute-force cryptographic protections.
Vulnerability
The config_auth() function in ntpd prior to NTP version 4.2.7p11 generates a weak cryptographic key when no authentication key is explicitly configured. This occurs because the function uses an improper key generation mechanism, resulting in a key with insufficient entropy. The vulnerability affects all NTP releases before 4.2.7p11. [1][2]
Exploitation
An attacker can exploit this vulnerability without any prior authentication or user interaction by simply observing network traffic to obtain the weak key material. With remote network access, the attacker can perform a brute-force attack to recover the generated key. The low entropy of the key makes brute-force feasible. The attack does not require any privileged position or race condition. [1][2]
Impact
Successful exploitation allows the attacker to defeat cryptographic protection mechanisms used by NTP. This can lead to unauthorized disclosure of information, modification of NTP traffic, or denial of service. The attacker gains the ability to forge NTP packets, potentially enabling man-in-the-middle attacks that could affect time synchronization across the network. [1][2]
Mitigation
A fix was released in NTP version 4.2.7p11 on December 19, 2014. Red Hat released security updates RHSA-2014-2025 and RHSA-2015-0104 for affected packages, and Cisco issued software updates for affected products. HP also released fixes for impacted networking devices. Users should upgrade to NTP 4.2.7p11 or later, or apply vendor-specific patches. If upgrading is not possible, configuring an explicit authentication key mitigates the issue. [1][2][3][4]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: < 4.2.7p11
- osv-coords4 versionspkg:rpm/opensuse/ntp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012
< 4.2.8p9-1.1+ 3 more
- (no CPE)range: < 4.2.8p9-1.1
- (no CPE)range: < 4.2.6p5-37.2
- (no CPE)range: < 4.2.6p5-37.2
- (no CPE)range: < 4.2.6p5-37.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- bk1.ntp.org/ntp-dev/ntpd/ntp_config.cnvdExploit
- support.ntp.org/bin/view/Main/SecurityNoticenvdVendor Advisory
- www.kb.cert.org/vuls/id/852879nvdThird Party AdvisoryUS Government Resource
- advisories.mageia.org/MGASA-2014-0541.htmlnvd
- bugs.ntp.org/show_bug.cginvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- rhn.redhat.com/errata/RHSA-2014-2025.htmlnvd
- rhn.redhat.com/errata/RHSA-2015-0104.htmlnvd
- secunia.com/advisories/62209nvd
- www.mandriva.com/security/advisoriesnvd
- www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlnvd
- www.securityfocus.com/bid/71757nvd
- bugzilla.redhat.com/show_bug.cginvd
- h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvd
- kc.mcafee.com/corporate/indexnvd
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpdnvd
- www.arista.com/en/support/advisories-notices/security-advisories/1047-security-advisory-8nvd
News mentions
0No linked articles in our index yet.