[email protected]CVE-2015-7974

HistoryJan 26, 2016 - 7:59 p.m.

CVE-2015-7974

2016-01-2619:59:00

CWE-287

[email protected]

web.nvd.nist.gov

105

ntp

network time protocol

cve-2015-7974

authentication

impersonation attack

security vulnerability

7.7 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

68.7%

JSON

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a “skeleton key.”

CPENameOperatorVersion
ntp:ntpntpeq4.2.8
ntp:ntpntplt4.3.90
siemens:tim_4r-ie_firmwaresiemens tim 4r-ie firmwareeq*
siemens:tim_4r-ie_dnp3_firmwaresiemens tim 4r-ie dnp3 firmwareeq*
netapp:oncommand_balancenetapp oncommand balanceeq-
netapp:clustered_data_ontapnetapp clustered data ontapeq-
debian:debian_linuxdebian debian linuxeq8.0
debian:debian_linuxdebian debian linuxeq9.0

CPE	Name	Operator	Version
ntp:ntp	ntp	eq	4.2.8
ntp:ntp	ntp	lt	4.3.90
siemens:tim_4r-ie_firmware	siemens tim 4r-ie firmware	eq	*
siemens:tim_4r-ie_dnp3_firmware	siemens tim 4r-ie dnp3 firmware	eq	*
netapp:oncommand_balance	netapp oncommand balance	eq	-
netapp:clustered_data_ontap	netapp clustered data ontap	eq	-
debian:debian_linux	debian debian linux	eq	8.0
debian:debian_linux	debian debian linux	eq	9.0