CVE-2015-3405

NONE EPSS 91.6%
Published Aug 9, 20178y ago · Modified Jun 17, 20262w ago
Find Similar
Published Aug 9, 2017 8y ago
Last Modified Jun 17, 2026 2w ago

Description

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

Threat Intelligence

EPSS Exploit Probability
91.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-331

Affected Products 28

VendorProductVersionRange
ntpntp4.2.8any
ntpntp4.2.8any
ntpntp4.2.8any
ntpntp4.3.0any
ntpntp4.3.1any
ntpntp4.3.2any
ntpntp4.3.3any
ntpntp4.3.4any
ntpntp4.3.5any
ntpntp4.3.6any
ntpntp4.3.7any
ntpntp4.3.8any
ntpntp4.3.9any
ntpntp4.3.10any
ntpntp4.3.11any
debiandebian_linux7.0any
debiandebian_linux8.0any
opensusesuse_linux_enterprise_server11.0any
opensuse_projectsuse_linux_enterprise_desktop11.0any
susesuse_linux_enterprise_server11.0any
fedoraprojectfedora21any
redhatenterprise_linux_desktop6.0any
redhatenterprise_linux_for_ibm_z_systems6.0any
redhatenterprise_linux_for_power_big_endian6.0any
redhatenterprise_linux_for_scientific_computing6.0any
redhatenterprise_linux_server6.0any
redhatenterprise_linux_server_from_rhui_66.0any
redhatenterprise_linux_workstation6.0any

References 14

  • bk1.ntp.org http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
    Third Party AdvisoryVendor Advisory
  • lists.fedoraproject.org http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156248.html
    Third Party Advisory
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.html
    Third Party Advisory
  • rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2015-1459.html
    Third Party AdvisoryVDB Entry
  • rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2015-2231.html
    Third Party AdvisoryVDB Entry
  • debian.org http://www.debian.org/security/2015/dsa-3223
    Third Party Advisory
  • debian.org http://www.debian.org/security/2015/dsa-3388
    Third Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2015/04/23/14
    Mailing ListThird Party Advisory
  • oracle.com http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
  • oracle.com http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
  • securityfocus.com http://www.securityfocus.com/bid/74045
    Third Party AdvisoryVDB Entry
  • bugs.ntp.org https://bugs.ntp.org/show_bug.cgi?id=2797
    Issue TrackingThird Party AdvisoryVendor Advisory
  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1210324
    Issue TrackingPatchThird Party AdvisoryVDB Entry
  • support.hpe.com https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03886en_us

Remediation

  • bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1210324
    Issue TrackingPatchThird Party AdvisoryVDB Entry