cbcvebase.
CVE-2015-7855
published 2017-08-07

CVE-2015-7855: The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure)…

PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EXPLOIT
EPSS
31.07%
98.0th percentile
The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value.

Affected

10 ranges
VendorProductVersion rangeFixed in
ciscoproducts_october_2015
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianntp< ntp 1:4.2.8p4+dfsg-1 (bullseye)ntp 1:4.2.8p4+dfsg-1 (bullseye)
ntpntp
ntpntp>= 0 < 1:4.2.8p4+dfsg-11:4.2.8p4+dfsg-1
ntpntp>= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.51:4.2.6.p5+dfsg-3ubuntu2.14.04.5
ntpntp>= 4.2.0 < 4.2.84.2.8
ntpntp>= 4.3.0 < 4.3.774.3.77

Detection & IOCsextracted from sources · hover to see the quote

port123/UDP
bytes
\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39
  • Trigger is a mode 6 or mode 7 NTP packet (first byte 0x16 = mode 6) with an oversized `laddr=` field containing a long numeric string sent over UDP/123 — look for NTP control packets with unusually large data payloads targeting the decodenetnum() code path.
  • The vulnerability is exposed only when the `mrulist` feature is active in ntpd; detection should focus on environments where mrulist/mode-6 queries are permitted from remote hosts.
  • Crash manifests as an assertion failure inside decodenetnum() — monitor ntpd process for unexpected termination or assertion-failure log messages as a host-based detection signal.
  • ·The vulnerability only affects ntpd instances that expose the mrulist feature (mode 6/7 queries); Red Hat Enterprise Linux 5, 6, and 7 ship without this feature and are not affected.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_cisco7.5HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.