CVE-2015-7978Uncontrolled Resource Consumption in NTP

CWE-400Uncontrolled Resource ConsumptionCWE-121Stack-based Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-20Improper Input ValidationCWE-200Sensitive Information ExposureCWE-287Improper AuthenticationCWE-39924 documents10 sources
Severity
7.5HIGHNVD
OSV6.5
EPSS
42.5%
top 2.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NTPDebian NTPPaloalto Pan-os
Timeline
PublishedJan 30
Latest updateMay 14

Description

NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/ntp< ntp 1:4.2.8p7+dfsg-1 (bullseye)
Debianntp/ntp< 1:4.2.8p7+dfsg-1
Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10+1
NVDntp/ntp4.2.8+89
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
GHSA
GHSA-jj32-297r-pcv8: NTP before 42022-05-14
OSV
CVE-2015-7978: NTP before 42017-01-30
OSV
ntp vulnerabilities2016-10-05

📋Vendor Advisories

17
Ubuntu
NTP vulnerabilities2016-10-05
Palo Alto
PAN-SA-2016-0019 NTP Vulnerabilities2016-08-15
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 20162016-01-28
BSD
FreeBSD-SA-16:09.ntp: Multiple vulnerabilities of ntp2016-01-27
Red Hat
ntp: stack exhaustion in recursive traversal of restriction list2016-01-20

💬Community

3
Bugzilla
CVE-2015-7978 ntp: stack exhaustion in recursive traversal of restriction list2016-01-20
Bugzilla
CVE-2015-7977 ntp: restriction list NULL pointer dereference2016-01-20
Bugzilla
CVE-2015-7974 CVE-2015-8138 CVE-2015-7973 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 CVE-2015-8139 CVE-2015-8140 ntp: various flaws [fedora-all]2016-01-20