CVE-2015-7974high
Description
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
References
http://www.talosintel.com/reports/TALOS-2016-0071/
http://bugs.ntp.org/show_bug.cgi?id=2936
http://support.ntp.org/bin/view/Main/NtpBug2936
http://www.securityfocus.com/bid/81960
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us
https://security.gentoo.org/glsa/201607-15
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us
http://www.securitytracker.com/id/1034782
http://www.debian.org/security/2016/dsa-3629
https://security.netapp.com/advisory/ntap-20171031-0001/
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
http://rhn.redhat.com/errata/RHSA-2016-2583.html
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
Details
Source: MITRE
Published: 2016-01-26
Updated: 2021-04-26
Type: CWE-287
Risk Information
CVSS v2
Base Score: 4
Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N
Impact Score: 2.9
Exploitability Score: 8
Severity: MEDIUM
CVSS v3
Base Score: 7.7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Impact Score: 4
Exploitability Score: 3.1
Severity: HIGH