CVE-2015-1799

Severity

43%

Complexity

55%

Confidentiality

81%

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:N/I:P/A:P).

Overview

First reported 9 years ago

2015-04-08 10:59:00

Last updated 7 years ago

2018-01-05 02:30:00

Affected Software

NTP

References

http://bugs.ntp.org/show_bug.cgi?id=2781

[chrony-announce] 20150407 chrony-1.31.1 released (security)

APPLE-SA-2015-06-30-2

FEDORA-2015-5874

FEDORA-2015-5761

openSUSE-SU-2015:0775

SSRT102029

HPSBHF03557

RHSA-2015:1459

http://support.apple.com/kb/HT204942

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Vendor Advisory

20150408 Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products

20150408 Network Time Protocol Daemon Symmetric Mode Packet Processing Denial of Service Vulnerability

DSA-3222

DSA-3223

VU#374268

Third Party Advisory, US Government Resource

MDVSA-2015:202

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

73950

1032031

USN-2567-1

https://kc.mcafee.com/corporate/index?page=content&id=SB10114

GLSA-201509-01

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.