9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.073 Low
EPSS
Percentile
94.0%
CVE-2015-7853
A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability.
ntp 4.2.8p2
At line 3233 in ntp_io.c, a size check is performed to ensure that the length provided isnβt greater than the space available in the buffer that is being written to.
3233 i = (rp->datalen == 0
3234 || rp->datalen > (int)sizeof(rb->recv_space))
3235 ? (int)sizeof(rb->recv_space)
3236 : rp->datalen;
3237 do {
3238 buflen = read(fd, (char *)&rb->recv_space, (u_int)i);
3239 } while (buflen < 0 && EINTR == errno);
However, the size is performed by casting the size of the buffer to an integer type and doing an integer comparison. This means that if datalen is negative, then i will be assigned a negative value, resulting in a buffer overflow when it is used as an argument to read at line 3238.
Yves Younan of Cisco Talos
Vulnerability Reports Next Report
TALOS-2015-0065
Previous Report
TALOS-2015-0063
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.073 Low
EPSS
Percentile
94.0%