CVE-2015-8139 — Improper Access Control in NTP

CWE-284 — Improper Access Control CWE-290 — Authentication Bypass by Spoofing CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure CWE-287 — Improper Authentication CWE-39921 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

30.1%

top 3.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian NTP

Timeline

PublishedJan 30

Latest updateMay 17

Description

ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/ntp< ntp 1:4.2.8p7+dfsg-1 (bullseye)

▶Debianntp/ntp< 1:4.2.8p7+dfsg-1

▶NVDntp/ntp4.2.8

🔴Vulnerability Details

GHSA

GHSA-qmqw-w975-8wjm: ntpq in NTP before 4↗2022-05-17

▶

OSV

CVE-2015-8139: ntpq in NTP before 4↗2017-01-30

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016↗2016-01-28

▶

BSD

FreeBSD-SA-16:09.ntp: Multiple vulnerabilities of ntp↗2016-01-27

▶

Red Hat

ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients↗2016-01-20

▶

Debian

CVE-2015-8139: ntp - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps a...↗2015

▶

Cisco

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016↗

▶

💬Community

Bugzilla

CVE-2015-8139 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 ntp: various flaws [fedora-all]↗2016-06-02

▶

Bugzilla

CVE-2015-8139 ntp: ntpq and ntpdc disclose origin timestamp to unauthenticated clients↗2016-01-21

▶

Bugzilla

CVE-2015-7974 CVE-2015-8138 CVE-2015-7973 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8158 CVE-2015-8139 CVE-2015-8140 ntp: various flaws [fedora-all]↗2016-01-20

▶