CVE-2020-15025

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
mitreCNA
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AC:H/AV:N/A:H/C:N/I:N/PR:H/S:U/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
ntpntp
4.3.97 ≤
𝑥
< 4.3.101
ntpntp
4.2.8:p11
ntpntp
4.2.8:p12
ntpntp
4.2.8:p13
ntpntp
4.2.8:p14
opensuseleap
15.1
opensuseleap
15.2
netappcloud_backup
-
netappsteelstore_cloud_integrated_storage
-
netapp8300_firmware
-
netapp8700_firmware
-
netappa400_firmware
-
netapph410c_firmware
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph300e_firmware
-
netapph500e_firmware
-
netapph700e_firmware
-
netapph410s_firmware
-
oraclezfs_storage_appliance_kit
8.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ntp
bullseye
1:4.2.8p15+dfsg-1
fixed
buster
no-dsa
stretch
not-affected
jessie
not-affected
ntpsec
bullseye
1.2.0+dfsg1-4
fixed
buster
no-dsa
stretch
not-affected
jessie
not-affected
bookworm
1.2.2+dfsg1-1+deb12u1
fixed
bookworm (security)
1.2.2+dfsg1-1+deb12u1
fixed
sid
1.2.3+dfsg1-3
fixed
trixie
1.2.3+dfsg1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ntp
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
not-affected
impish
ignored
hirsute
ignored
groovy
ignored
focal
Fixed 1:4.2.8p12+dfsg-3ubuntu4.20.04.1+esm1
released
eoan
ignored
bionic
not-affected
xenial
not-affected
trusty
not-affected
ntpsec
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
bionic
not-affected
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
https://bugs.gentoo.org/729458
https://security.gentoo.org/glsa/202007-12
https://security.netapp.com/advisory/ntap-20200702-0002/
https://support.ntp.org/bin/view/Main/NtpBug3661
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
https://www.oracle.com/security-alerts/cpujan2021.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
https://bugs.gentoo.org/729458
https://security.gentoo.org/glsa/202007-12
https://security.netapp.com/advisory/ntap-20200702-0002/
https://support.ntp.org/bin/view/Main/NtpBug3661
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
https://www.oracle.com/security-alerts/cpujan2021.html