LANDESK is aware of the vulnerabilities discovered with NTP (ntpd) and we are currently working on a patch to address these concerns. At present, NTP has addressed some of the vulnerabilities and is working on addressing the remaining concerns in a later update. We will update this document with further information as we have it. We appreciate your patience.
As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.
Latest Updates
December 31, 2014 (11:00AM MST)
Initial publication of this document. LANDESK is aware of the vulnerability and is working on an update for the Cloud Services Appliance
How does this affect LANDESK
Affected Product(s)
LANDESK Cloud Service Appliance 4.3
Non-Affected Product(s)
LANDESK Asset Lifecycle Manager
LANDESK Service Desk, including Service Desk as a Service (SDaas)
Mobility products including Wavelink, Avalance on Demand and LANDESK Mobility Management
Shavlik Products
LANDESK Cloud Services Appliance 4.2 (EOL)
More Details
The following outline additional information about affected products, services and updates
External Network(s)
Cloud Services Appliance
All data on the Cloud Services Appliance is encrypted using SHA1. The data that could be exposed through these vulnerabilities will not grant access to usernames, passwords or private keys.
The version of ntpd on the CSA is currently 4.2.4p8
NTPD is not configured to run by default on the LANDESK Cloud Services Appliance (CSA). However it could be enabled independently. One way to check if ntpd is running is to run the following command on the CSA:
ps -A | grep ntpd
At this time, LANDESK recommends that customers disable ntpd until an update is available that addresses these vulnerabilities. LANDESK recommends that customers keep software updated in order to get the latest updates and fixes. More information about EOL for the CSA 4.2 can be found at End of Life for LANDesk® Cloud Services Appliance 4.2
NTP Vulnerability Information
More information about the vulnerabilities and NTP can be found on the following pages:
NTP.org Security Notice (contains information about vulnerabilities, mitigation options and updates)
NIST CVE Information: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296
- LANDESK Support