CVE-2015-3405

Sažetak

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=1210324
https://bugs.ntp.org/show_bug.cgi?id=2797
http://www.securityfocus.com/bid/74045
http://www.openwall.com/lists/oss-security/2015/04/23/14
http://www.debian.org/security/2015/dsa-3388
http://www.debian.org/security/2015/dsa-3223
http://rhn.redhat.com/errata/RHSA-2015-2231.html
http://rhn.redhat.com/errata/RHSA-2015-1459.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/156248.html
http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03886en_us

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

13-02-2023 - 00:49

Objavljeno

09-08-2017 - 16:29