CVE-2015-7974
First published: Tue Jan 26 2016(Updated: )
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/ntp | 1:4.2.8p12+dfsg-4 1:4.2.8p15+dfsg-1 | |
| NTP ntp | >=4.2.0<4.2.8 | |
| NTP ntp | >=4.3.0<4.3.90 | |
| NTP ntp | =4.2.8 | |
| NTP ntp | =4.2.8-p1 | |
| NTP ntp | =4.2.8-p1-beta1 | |
| NTP ntp | =4.2.8-p1-beta2 | |
| NTP ntp | =4.2.8-p1-beta3 | |
| NTP ntp | =4.2.8-p1-beta4 | |
| NTP ntp | =4.2.8-p1-beta5 | |
| NTP ntp | =4.2.8-p1-rc1 | |
| NTP ntp | =4.2.8-p1-rc2 | |
| NTP ntp | =4.2.8-p2 | |
| NTP ntp | =4.2.8-p2-rc1 | |
| NTP ntp | =4.2.8-p2-rc2 | |
| NTP ntp | =4.2.8-p2-rc3 | |
| NTP ntp | =4.2.8-p3 | |
| NTP ntp | =4.2.8-p3-rc1 | |
| NTP ntp | =4.2.8-p3-rc2 | |
| NTP ntp | =4.2.8-p3-rc3 | |
| NTP ntp | =4.2.8-p4 | |
| NTP ntp | =4.2.8-p5 | |
| Siemens Tim 4r-ie Firmware | ||
| Siemens Tim 4r-ie | ||
| Siemens Tim 4r-ie Dnp3 Firmware | ||
| Siemens Tim 4r-ie Dnp3 | ||
| NetApp Clustered Data ONTAP | ||
| NetApp OnCommand Balance | ||
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Siemens TIM 4R-IE (incl. SIPLUS NET variants) | ||
| Siemens TIM 4R-IE DNP3 (incl. SIPLUS NET variants) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
- http://support.ntp.org/bin/view/Main/NtpBug2936
- https://security-tracker.debian.org/tracker/CVE-2015-7974
- http://bugs.ntp.org/show_bug.cgi?id=2936
- http://rhn.redhat.com/errata/RHSA-2016-2583.html
- http://www.debian.org/security/2016/dsa-3629
- http://www.securityfocus.com/bid/81960
- http://www.securitytracker.com/id/1034782
- http://www.talosintel.com/reports/TALOS-2016-0071/
- https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
- https://security.gentoo.org/glsa/201607-15
- https://security.netapp.com/advisory/ntap-20171031-0001/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-103-11 (Advisory)
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/ntp
- canonical/ntp ntp
- version/ntp ntp/4.2.0
- version/ntp ntp/4.3.0
- version/ntp ntp/4.2.8
- version/ntp ntp/4.2.8-p1
- version/ntp ntp/4.2.8-p1-beta1
- version/ntp ntp/4.2.8-p1-beta2
- version/ntp ntp/4.2.8-p1-beta3
- version/ntp ntp/4.2.8-p1-beta4
- version/ntp ntp/4.2.8-p1-beta5
- version/ntp ntp/4.2.8-p1-rc1
- version/ntp ntp/4.2.8-p1-rc2
- version/ntp ntp/4.2.8-p2
- version/ntp ntp/4.2.8-p2-rc1
- version/ntp ntp/4.2.8-p2-rc2
- version/ntp ntp/4.2.8-p2-rc3
- version/ntp ntp/4.2.8-p3
- version/ntp ntp/4.2.8-p3-rc1
- version/ntp ntp/4.2.8-p3-rc2
- version/ntp ntp/4.2.8-p3-rc3
- version/ntp ntp/4.2.8-p4
- version/ntp ntp/4.2.8-p5
- vendor/siemens
- canonical/siemens tim 4r-ie firmware
- canonical/siemens tim 4r-ie
- canonical/siemens tim 4r-ie dnp3 firmware
- canonical/siemens tim 4r-ie dnp3
- vendor/netapp
- canonical/netapp clustered data ontap
- canonical/netapp oncommand balance
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- canonical/siemens tim 4r-ie (incl. siplus net variants)
- canonical/siemens tim 4r-ie dnp3 (incl. siplus net variants)