PT-2015-3301 · Ntt+7 · Ntp+8
Martin Prpič
·
Publicado
2015-10-21
·
Atualizado
2024-06-15
·
CVE-2015-7701
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
NTP versions 4.2.x through 4.2.8p3
NTP versions 4.3.x through 4.3.76
Description
The issue is related to a memory leak in the CRYPTO ASSOC function in ntpd, which can be exploited by remote attackers to cause a denial of service due to memory consumption. This is caused by errors in resource management. An attacker could exploit this to cause a denial of service. Additionally, the decodenetnum() function has an issue where it fails to return FAIL on some invalid values, instead causing an ASSERT botch, which can also lead to a denial of service.
Recommendations
For NTP versions 4.2.x through 4.2.8p3, update to version 4.2.8p4 or later.
For NTP versions 4.3.x through 4.3.76, update to version 4.3.77 or later.
As a temporary workaround, consider restricting access to the CRYPTO ASSOC function and the decodenetnum() function until a patch is available.
Exploit
Correção
DoS
Missing Release of Resource after Effective Lifetime
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Centos
Cisco Ios Xe
Cisco Nexus
Ibm Aix
Ntp
Red Hat
Suse
Ubuntu