CVE-2015-5300

2015-10-2200:00:00

ubuntu.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.021 Low

EPSS

Percentile

88.9%

JSON

The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the
first change to the system clock that was greater than 128 milliseconds by
default, which allows remote attackers to set NTP to an arbitrary time when
started with the -g option, or to alter the time by up to 900 seconds
otherwise by responding to an unspecified number of requests from trusted
sources, and leveraging a resulting denial of service (abort and restart).

Bugs

<https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5300>

Notes

Author	Note
mdeslaur	as of 2015-10-22, not yet fixed upstream patch in redhat bug, but improved patch in comment #3 is restricted

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchntp< 1:4.2.6.p3+dfsg-1ubuntu3.6UNKNOWN
ubuntu14.04noarchntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.5UNKNOWN
ubuntu15.04noarchntp< 1:4.2.6.p5+dfsg-3ubuntu6.2UNKNOWN
ubuntu15.10noarchntp< 1:4.2.6.p5+dfsg-3ubuntu8.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	ntp	< 1:4.2.6.p3+dfsg-1ubuntu3.6	UNKNOWN
ubuntu	14.04	noarch	ntp	< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.5	UNKNOWN
ubuntu	15.04	noarch	ntp	< 1:4.2.6.p5+dfsg-3ubuntu6.2	UNKNOWN
ubuntu	15.10	noarch	ntp	< 1:4.2.6.p5+dfsg-3ubuntu8.1	UNKNOWN