CVE-2015-7974

high

Description

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

References

http://www.talosintel.com/reports/TALOS-2016-0071/

http://bugs.ntp.org/show_bug.cgi?id=2936

http://support.ntp.org/bin/view/Main/NtpBug2936

http://www.securityfocus.com/bid/81960

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us

https://security.gentoo.org/glsa/201607-15

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us

http://www.securitytracker.com/id/1034782

http://www.debian.org/security/2016/dsa-3629

https://security.netapp.com/advisory/ntap-20171031-0001/

https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc

http://rhn.redhat.com/errata/RHSA-2016-2583.html

https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf

https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11

Details

Source: MITRE

Published: 2016-01-26

Updated: 2021-04-26

Type: CWE-287

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 7.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Impact Score: 4

Exploitability Score: 3.1

Severity: HIGH