Vulnerability Details : CVE-2015-5146
ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2015-5146
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:*:p2:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5146
1.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:N/A:P |
6.8
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.6
|
3.6
|
NIST |
CWE ids for CVE-2015-5146
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5146
-
http://bugs.ntp.org/show_bug.cgi?id=2853
Bug 2853 – Crafted remote config packet can crash some versions of ntpd.Issue Tracking;Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html
[SECURITY] Fedora 21 Update: ntp-4.2.6p5-34.fc21Third Party Advisory
-
https://security.gentoo.org/glsa/201509-01
NTP: Multiple vulnerablities (GLSA 201509-01) — Gentoo securityMitigation;Third Party Advisory;VDB Entry
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169167.html
[SECURITY] Fedora 22 Update: ntp-4.2.6p5-33.fc22Third Party Advisory
-
http://www.debian.org/security/2015/dsa-3388
Debian -- Security Information -- DSA-3388-1 ntpThird Party Advisory
-
http://www.securityfocus.com/bid/75589
NTP CVE-2015-5146 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
SecurityNotice < Main < NTPVendor Advisory
-
https://security.netapp.com/advisory/ntap-20180731-0003/
CVE-2015-5146 Network Time Protocol Daemon (ntpd) Denial of Service Vulnerability in NetApp Products | NetApp Product Security
-
http://www.securitytracker.com/id/1034168
Ntpd Remote Configuration Bug Lets Remote Authenticated Users on the Local Network Cause the Target Service to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166992.html
[SECURITY] Fedora 23 Update: ntp-4.2.6p5-33.fc23Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1238136
1238136 – (CVE-2015-5146) CVE-2015-5146 ntp: ntpd control message crash on crafted NUL-byte in configuration directive (VU#668167)Issue Tracking;Third Party Advisory
Jump to