CVE-2015-5146Improper Input Validation in NTP

CWE-20Improper Input Validation11 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
2.4%
top 14.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NTPDebian LinuxFedoraproject Fedora
Timeline
PublishedAug 24
Latest updateMay 14

Description

ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

Debianntp/ntp< 1:4.2.8p3+dfsg-1
Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.5
NVDntp/ntp4.2.8

Also affects: Debian Linux 7.0, 8.0, Fedora 21, 22, 23

🔴Vulnerability Details

4
GHSA
GHSA-8463-8xmw-64wf: ntpd in ntp before 42022-05-14
OSV
CVE-2015-5146: ntpd in ntp before 42017-08-24
CVEList
CVE-2015-5146: ntpd in ntp before 42017-08-24
OSV
ntp vulnerabilities2015-10-27

📋Vendor Advisories

3
Ubuntu
NTP vulnerabilities2015-10-27
Red Hat
ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167)2015-06-30
Debian
CVE-2015-5146: ntp - ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authe...2015

💬Community

3
Bugzilla
CVE-2015-5146 ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167)2015-07-01
Bugzilla
CVE-2015-5146 ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167) [fedora-all]2015-07-01
Bugzilla
CVE-2009-5146 openssl: memory leak in hostname TLS extension2015-03-18