Cisco publicly released information about advisory ID cisco-sa-20141222-ntpd today, a remote code execution vulnerability in the ntpd software that ships with firmware on many Cisco products. There are at least four CVEs as part of this advisory ID, which are as follows:
- CVE-2014-9293: Weak Default Key in config_auth()
- CVE-2014-9294: Noncryptographic Random Number Generator with Weak Seed Used by ntp-keygen to Generate Symmetric Keys
- CVE-2014-9295: Multiple Buffer Overflow Vulnerabilities in ntpd
- CVE-2014-9296: ntpd receive(): Missing Return on Error
We recently blogged about how to know whether to take vulnerability alerts seriously, and since this is a remote code execution vulnerability, rated a 7.5 out of 10 by Cisco in severity, this is one that should be taken seriously and addressed. While it appears that there are no exploits taking advantage of any of these CVEs in the wild as of yet, it is recommended that users of Cisco products visit http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd immediately and take a look at the “Affected Products” section to see if your specific product is impacted. Cisco has released updated firmware that can be downloaded via your service contract with Cisco.
Please see http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd for additional information and news about this vulnerability as it comes available.