An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a GET_RESTRICT control message, which could let a malicious user obtain sensitive information. (CVE-2014-5209)
Impact
An attacker may be able to prompt the network time protocol (NTP) server to return a list of hosts or networks that have particular restrictions applied. BIG-IP, BIG-IQ, Enterprise Manager, and F5 iWorkflow software are not vulnerable in default, standard, and recommended configurations; however, the vulnerability can be exposed if you configure an additional “restrict” line in the NTP configuration that allows remote NTP mode 6 or 7 packets.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.5.5 | |
big-ip afm | eq | 11.5.6 | |
big-ip afm | eq | 11.5.7 |