cbcvebase.
CVE-2015-7853
published 2017-08-07

CVE-2015-7853: The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a…

PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
11.78%
95.6th percentile
The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative input value.

Affected

7 ranges
VendorProductVersion rangeFixed in
ciscoproducts_october_2015
debianntp< ntp 1:4.2.8p4+dfsg-1 (bullseye)ntp 1:4.2.8p4+dfsg-1 (bullseye)
ntpntp
ntpntp>= 0 < 1:4.2.8p4+dfsg-11:4.2.8p4+dfsg-1
ntpntp>= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.51:4.2.6.p5+dfsg-3ubuntu2.14.04.5
ntpntp>= 4.2.0 < 4.2.84.2.8
ntpntp>= 4.3.0 < 4.3.774.3.77

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the refclock (reference clock) driver of ntpd; attack vector is a negative datalen/length value supplied by a hardware reference clock input, triggering a buffer overflow in memory
  • Upstream patch available at the referenced GitHub commit for NTP project; patch against ntp versions 4.2.x before 4.2.8p4 and 4.3.x before 4.3.77
  • Talos Intelligence published a report on this vulnerability; reference for additional technical detail and potential detection signatures
  • ·Red Hat Enterprise Linux 5, 6, and 7 are NOT affected because their shipped ntp packages do not include the custom refclock driver
  • ·Only NTP deployments using a hardware reference clock (refclock driver) are exposed; standard NTP installations without refclock configuration are not vulnerable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_cisco7.5HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.