Vulnerability Details : CVE-2020-15025
ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.
Vulnerability category: Denial of service
Products affected by CVE-2020-15025
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p11:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p12:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p13:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p14:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:8300_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:8700_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:a400_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15025
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15025
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
4.4
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
0.7
|
3.6
|
MITRE | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2020-15025
-
The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15025
-
https://support.ntp.org/bin/view/Main/NtpBug3661
NtpBug3661 < Main < NTPVendor Advisory
-
https://bugs.gentoo.org/729458
729458 – (CVE-2020-15025) <net-misc/ntp-4.2.8_p15: Memory leak allowing denial of service (CVE-2020-15025)Issue Tracking;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://security.gentoo.org/glsa/202007-12
NTP: Multiple vulnerabilities (GLSA 202007-12) — Gentoo securityThird Party Advisory
-
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
SecurityNotice < Main < NTPRelease Notes;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20200702-0002/
CVE-2020-15025 Network Time Protocol Daemon (ntpd) Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
[security-announce] openSUSE-SU-2020:0934-1: moderate: Security update fMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
[security-announce] openSUSE-SU-2020:1007-1: moderate: Security update fMailing List;Third Party Advisory
Jump to