CVE-2020-15025 — Missing Release of Memory after Effective Lifetime in NTP

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption9 documents8 sources

Severity

4.9MEDIUMNVD

CNA4.4

EPSS

3.1%

top 13.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Opensuse Leap Oracle ZFS Storage Appliance KIT

Timeline

PublishedJun 24

Latest updateMay 24

Description

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

▶NVDntp/ntp4.3.97 — 4.3.101+1

▶Debianntp/ntp< 1:4.2.8p15-1

▶NVDopensuse/leap15.1, 15.2+1

▶NVDoracle/zfs_storage_appliance_kit8.8

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-p62f-hvr2-5w5f: ntpd in ntp 4↗2022-05-24

▶

OSV

CVE-2020-15025: ntpd in ntp 4↗2020-06-24

▶

CVEList

CVE-2020-15025: ntpd in ntp 4↗2020-06-24

▶

📋Vendor Advisories

Ubuntu

NTP vulnerability↗2021-12-06

▶

Red Hat

ntp: Resource exhaustion via memory leak with CMAC keys↗2020-06-23

▶

Debian

CVE-2020-15025: ntp - ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attacke...↗2020

▶

💬Community

Bugzilla

CVE-2020-15025 ntp: memory leak with CMAC keys can lead to DoS [fedora-all]↗2020-06-29

▶

Bugzilla

CVE-2020-15025 ntp: Resource exhaustion via memory leak with CMAC keys↗2020-06-24

▶