CVE-2015-7691

Опубликовано: 21 окт. 2015

Источник: redhat

CVSS2: 4

EPSS Низкий

Описание

The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.

It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.

Меры по смягчению последствий

Disable NTP autokey authentication by removing, or commenting out, all configuration directives beginning with the 'crypto' keyword in your ntp.conf file.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	ntp	Will not fix
Red Hat Enterprise Linux 6	ntp	Fixed	RHSA-2016:0780	10.05.2016
Red Hat Enterprise Linux 7	ntp	Fixed	RHSA-2016:2583	03.11.2016

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1274254ntp: incomplete checks in ntp_crypto.c

EPSS

Процентиль: 90%

0.06218

Низкий

4 Medium

CVSS2

Связанные уязвимости

CVE-2015-7691

CVSS3: 7.5

ubuntu

около 8 лет назад

CVE-2015-7691

CVSS3: 7.5

nvd

около 8 лет назад

CVE-2015-7691

CVSS3: 7.5

debian

около 8 лет назад

The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3. ...

GHSA-2cm3-5rf2-6c3w

CVSS3: 7.5

github

больше 3 лет назад

ELSA-2016-0780

oracle-oval

больше 9 лет назад

ELSA-2016-0780: ntp security and bug fix update (MODERATE)

EPSS

Процентиль: 90%

0.06218

Низкий

4 Medium

CVSS2