CVE-2015-3405 — Insufficient Entropy in Redhat Enterprise Linux FOR Power BIG Endian

CWE-331 — Insufficient Entropy CWE-628 — Function Call with Incorrectly Specified Arguments CWE-835 — Infinite Loop CWE-330 — Use of Insufficiently Random Values7 documents7 sources

Severity

7.5HIGHNVD

EPSS

16.6%

top 5.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian Linux Fedoraproject Fedora +10 more

Timeline

PublishedAug 9

Latest updateMay 13

Description

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶Debianntp/ntp< 1:4.2.6.p5+dfsg-7

▶NVDntp/ntp13 versions+12

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDsuse/suse_linux_enterprise_server11.0

Also affects: Debian Linux 7.0, 8.0, Fedora 21, Enterprise Linux 6.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-wwx9-mwhp-g8mc: ntp-keygen in ntp 4↗2022-05-13

▶

CVEList

CVE-2015-3405: ntp-keygen in ntp 4↗2017-08-09

▶

OSV

CVE-2015-3405: ntp-keygen in ntp 4↗2017-08-09

▶

📋Vendor Advisories

Red Hat

ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems↗2015-04-09

▶

Debian

CVE-2015-3405: ntp - ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not ge...↗2015

▶

💬Community

Bugzilla

CVE-2015-3405 ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems↗2015-04-09

▶