CVE-2015-7974

HIGH

NTP <4.2.8p6-4.3.90 - Privilege Escalation

Title source: llm
STIX 2.1

Description

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

References (14)

Core 14
Core References
Exploit, Third Party Advisory x_refsource_misc
http://www.talosintel.com/reports/TALOS-2016-0071/
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3629
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/81960
Vendor Advisory x_refsource_confirm
http://support.ntp.org/bin/view/Main/NtpBug2936
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1034782
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2583.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20171031-0001/
Issue Tracking, Vendor Advisory x_refsource_confirm
http://bugs.ntp.org/show_bug.cgi?id=2936
Third Party Advisory vendor-advisory x_refsource_freebsd
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201607-15
Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
Third Party Advisory, US Government Resource x_refsource_misc
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11

Scores

CVSS v3 7.7
EPSS 0.1069
EPSS Percentile 93.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Details

CWE
CWE-287
Status published
Products (8)
debian/debian_linux 8.0
debian/debian_linux 9.0
netapp/clustered_data_ontap
netapp/oncommand_balance
ntp/ntp 4.2.8 (19 CPE variants)
ntp/ntp 4.2.0 - 4.2.8
siemens/tim_4r-ie_dnp3_firmware
siemens/tim_4r-ie_firmware
Published Jan 26, 2016
Tracked Since Feb 18, 2026