CVE-2015-7850 : ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenti

ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file.

Published 2017-08-07 20:29:01

Updated 2020-06-18 15:10:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2015-7850

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
NTP » NTP
Versions from including (>=) 4.2.0 and before (<) 4.2.8
cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*
Matching versions
NTP » NTP
Versions from including (>=) 4.3.0 and before (<) 4.3.77
cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8
cpe:2.3:a:ntp:ntp:4.2.8:-:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P2-rc1
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1
cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P2
cpe:2.3:a:ntp:ntp:4.2.8:p2:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-beta1
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-beta2
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-beta3
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-beta4
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-beta5
cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-rc1
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P1-rc2
cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P2-rc2
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P2-rc3
cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P3
cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P3-rc1
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P3-rc2
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2:*:*:*:*:*:*
Matching versions
NTP » NTP » Version: 4.2.8 Update P3-rc3
cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3:*:*:*:*:*:*
Matching versions
Netapp » Data Ontap » Version: N/A For 7-mode
cpe:2.3:o:netapp:data_ontap:-:*:*:*:*:7-mode:*:*
Matching versions
Netapp » Oncommand Balance » Version: N/A
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Matching versions
Netapp » Clustered Data Ontap » Version: N/A
cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
Matching versions
Netapp » Oncommand Unified Manager » Version: N/A For Clustered Data Ontap
cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:clustered_data_ontap:*:*
Matching versions
Netapp » Oncommand Performance Manager » Version: N/A
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-7850

EPSS FAQ

1.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-7850

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2015-7850

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-7850

https://bugzilla.redhat.com/show_bug.cgi?id=1274258

1274258 – (CVE-2015-7850) CVE-2015-7850 ntp: remote configuration denial of service vulnerability
Issue Tracking;Third Party Advisory;VDB Entry
http://www.securityfocus.com/bid/77279

Network Time Protocol CVE-2015-7850 Denial of Service Vulnerability
Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/201607-15

NTP: Multiple vulnerabilities (GLSA 201607-15) — Gentoo security
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.debian.org/security/2015/dsa-3388

Debian -- Security Information -- DSA-3388-1 ntp
Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20171004-0001/

October 2015 Network Time Protocol Daemon (ntpd) Vulnerabilities in Multiple NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1033951

ntp Multiple Flaws Let Remote Users Deny Service, View Files, and Bypass Authentication to Modify the Time - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://support.ntp.org/bin/view/Main/NtpBug2917

NtpBug2917 < Main < NTP
Patch;Vendor Advisory

Jump to

Vulnerability Details : CVE-2015-7850

Products affected by CVE-2015-7850

Exploit prediction scoring system (EPSS) score for CVE-2015-7850

CVSS scores for CVE-2015-7850

CWE ids for CVE-2015-7850

References for CVE-2015-7850