| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.5 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as critical, was found in ntpd up to 4.2.8. The impacted element is an unknown function of the component MAC Checker. The manipulation results in Remote Code Execution. This vulnerability is cataloged as CVE-2015-1798. There is no exploit available. You should upgrade the affected component.
Details
A vulnerability classified as critical has been found in ntpd up to 4.2.8 (Network Management Software). Affected is some unknown functionality of the component MAC Checker. The manipulation with an unknown input leads to a code vulnerability. CWE is classifying the issue as CWE-17. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was shared 04/07/2015 by Miroslav Lichvar with Red Hat as Sec 2779 as confirmed advisory (Website). The advisory is shared for download at support.ntp.org. The vendor cooperated in the coordination of the public release. This vulnerability is traded as CVE-2015-1798 since 02/17/2015. The attack can only be initiated within the local network. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The advisory points out:
When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server.
The vulnerability scanner Nessus provides a plugin with the ID 82737 (Mandriva Linux Security Advisory : ntp (MDVSA-2015:202)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Mandriva Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 350424 (Amazon Linux Security Advisory for ntp: AL2012-2015-087).
Upgrading to version 4.2.8p2 eliminates this vulnerability. The upgrade is hosted for download at ntp.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The advisory contains the following remark:
Configure ntpd with enough time sources and monitor it properly.
The vulnerability is also documented in the databases at X-Force (102051), Tenable (82737), SecurityFocus (BID 73951†), SecurityTracker (ID 1032032†) and Vulnerability Center (SBV-50918†). Further details are available at bugs.ntp.org. The entry VDB-105145 is related to this item. VulDB is the best source for vulnerability data and more expert information about this specific topic.
Affected
- FreeBSD
- Linux
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 5.5
VulDB Base Score: 6.3
VulDB Temp Score: 5.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: CodeCWE: CWE-17
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Partially
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 82737
Nessus Name: Mandriva Linux Security Advisory : ntp (MDVSA-2015:202)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 14611
OpenVAS Name: Amazon Linux Local Check: ALAS-2015-520
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: ntpd 4.2.8p2
Timeline
02/17/2015 🔍04/07/2015 🔍
04/07/2015 🔍
04/07/2015 🔍
04/07/2015 🔍
04/08/2015 🔍
04/08/2015 🔍
04/13/2015 🔍
06/30/2015 🔍
07/01/2015 🔍
05/02/2022 🔍
Sources
Advisory: Sec 2779Researcher: Miroslav Lichvar
Organization: Red Hat
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2015-1798 (🔍)
GCVE (CVE): GCVE-0-2015-1798
GCVE (VulDB): GCVE-100-74664
OVAL: 🔍
CERT: 🔍
X-Force: 102051 - NTP MAC security bypass
SecurityFocus: 73951 - NTP CVE-2015-1798 Man in the Middle Security Bypass Vulnerability
SecurityTracker: 1032032 - Ntpd MAC Checking Failure Lets Remote Users Bypass Authentication
Vulnerability Center: 50918 - NTP before 4.2.8p2 Remote Spoofing due to a Flaw in the \x27symmetric-key\x27 Feature - CVE-2015-1798, Low
Misc.: 🔍
See also: 🔍
Entry
Created: 04/08/2015 10:20Updated: 05/02/2022 19:28
Changes: 04/08/2015 10:20 (81), 07/03/2017 08:37 (13), 05/02/2022 19:21 (3), 05/02/2022 19:28 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.