CVE-2020-15025

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

Published: Jun 24, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-15025
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.9
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:N/A:P

CWEs:

CWE-401

Affected Software
References

Software	From	Fixed in
ntp / ntp	4.2.8-p11	4.2.8-p11.x
ntp / ntp	4.2.8-p12	4.2.8-p12.x
ntp / ntp	4.2.8-p13	4.2.8-p13.x
ntp / ntp	4.3.97	4.3.101
ntp / ntp	4.2.8-p14	4.2.8-p14.x
opensuse / leap	15.1	15.1.x
opensuse / leap	15.2	15.2.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
https://bugs.gentoo.org/729458
https://security.gentoo.org/glsa/202007-12
https://security.netapp.com/advisory/ntap-20200702-0002/
https://support.ntp.org/bin/view/Main/NtpBug3661
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea
https://www.oracle.com/security-alerts/cpujan2021.html

Vulnerability Database

289,697

CVE-2020-15025