CVE-2015-7979Improper Input Validation in NTP

CWE-19CWE-20Improper Input ValidationCWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-200Sensitive Information ExposureCWE-287Improper AuthenticationCWE-399CWE-400Uncontrolled Resource Consumption27 documents11 sources
Severity
7.5HIGHNVD
OSV6.5
EPSS
4.2%
top 11.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NTPDebian NTPPaloalto Pan-os
Timeline
PublishedJan 30
Latest updateMay 13

Description

NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

debiandebian/ntp< ntp 1:4.2.8p7+dfsg-1 (bullseye)
Debianntp/ntp< 1:4.2.8p7+dfsg-1
Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10+1
NVDntp/ntp4.2.8+89
Palo Altopaloalto/pan-os

🔴Vulnerability Details

3
GHSA
GHSA-9fqj-9gp8-4rwc: NTP before 42022-05-13
OSV
CVE-2015-7979: NTP before 42017-01-30
OSV
ntp vulnerabilities2016-10-05

📋Vendor Advisories

19
CISA ICS
Siemens TIM 4R-IE Devices2021-04-13
Ubuntu
NTP vulnerabilities2016-10-05
Palo Alto
PAN-SA-2016-0019 NTP Vulnerabilities2016-08-15
Red Hat
ntp: bad authentication demobilizes ephemeral associations2016-06-02
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 20162016-01-28

💬Community

4
Bugzilla
CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations2016-05-30
Bugzilla
CVE-2016-1547 ntp: crypto-NAK preemptable association denial of service2016-04-28
Bugzilla
CVE-2015-7979 ntp: off-path denial of service on authenticated broadcast mode2016-01-20
Bugzilla
CVE-2015-7974 CVE-2015-8138 CVE-2015-7973 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 CVE-2015-8139 CVE-2015-8140 ntp: various flaws [fedora-all]2016-01-20