A series of vulnerabilities have been discovered in the Network Time Protocol service (ntpd).
CVE‑2014‑9293
A weak internal key allows remote attackers to defeat control protection mechanisms via a brute-force attack.
CVE-2014-9295
Allows a remote party to cause the NTP service to crash or potentially execute remote code using specifically crafted network packets.
To mitigate these issues, disable the NTP service of interfaces that are not trusted under Services -> Service Access. The vulnerabilities are addressed by the 3.15.0 firmware and 4.5.3 Lighthouse releases.
Note that the NTP service is disabled by default, and when enabled restricted to Management LAN, Wireless WLAN, Dial-in and VPN interfaces.
Comments
0 comments
Article is closed for comments.