CVE-2015-3405
NONE EPSS 91.6%
Published Aug 9, 20178y ago · Modified Jun 17, 20262w ago
Published Aug 9, 2017 8y ago
Last Modified Jun 17, 2026 2w ago
Description
ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.
Threat Intelligence
EPSS Exploit Probability
91.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-331
Affected Products 28
| Vendor | Product | Version | Range |
|---|---|---|---|
| ntp | ntp | 4.2.8 | any |
| ntp | ntp | 4.2.8 | any |
| ntp | ntp | 4.2.8 | any |
| ntp | ntp | 4.3.0 | any |
| ntp | ntp | 4.3.1 | any |
| ntp | ntp | 4.3.2 | any |
| ntp | ntp | 4.3.3 | any |
| ntp | ntp | 4.3.4 | any |
| ntp | ntp | 4.3.5 | any |
| ntp | ntp | 4.3.6 | any |
| ntp | ntp | 4.3.7 | any |
| ntp | ntp | 4.3.8 | any |
| ntp | ntp | 4.3.9 | any |
| ntp | ntp | 4.3.10 | any |
| ntp | ntp | 4.3.11 | any |
| debian | debian_linux | 7.0 | any |
| debian | debian_linux | 8.0 | any |
| opensuse | suse_linux_enterprise_server | 11.0 | any |
| opensuse_project | suse_linux_enterprise_desktop | 11.0 | any |
| suse | suse_linux_enterprise_server | 11.0 | any |
| fedoraproject | fedora | 21 | any |
| redhat | enterprise_linux_desktop | 6.0 | any |
| redhat | enterprise_linux_for_ibm_z_systems | 6.0 | any |
| redhat | enterprise_linux_for_power_big_endian | 6.0 | any |
| redhat | enterprise_linux_for_scientific_computing | 6.0 | any |
| redhat | enterprise_linux_server | 6.0 | any |
| redhat | enterprise_linux_server_from_rhui_6 | 6.0 | any |
| redhat | enterprise_linux_workstation | 6.0 | any |
References 14
- bk1.ntp.org http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
- lists.fedoraproject.org http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156248.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.html
- rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2015-1459.html
- rhn.redhat.com http://rhn.redhat.com/errata/RHSA-2015-2231.html
- debian.org http://www.debian.org/security/2015/dsa-3223
- debian.org http://www.debian.org/security/2015/dsa-3388
- openwall.com http://www.openwall.com/lists/oss-security/2015/04/23/14
- oracle.com http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- oracle.com http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- securityfocus.com http://www.securityfocus.com/bid/74045
- bugs.ntp.org https://bugs.ntp.org/show_bug.cgi?id=2797
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1210324
- support.hpe.com https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03886en_us
Remediation
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1210324