CVE-2015-7974

ntp: missing key check allows impersonation between authenticated peers (VU#357792)

Severity Score

7.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

NTP 4.x en versiones anteriores a 4.2.8p6 y 4.3.x en versiones anteriores a 4.3.90 no verifica las asociaciones del par de las claves simétricas cuando autentica paquetes, lo que podría permitir a atacante remotos llevar a cabo ataques de suplantación de identidad a través de una clave de confianza arbitraria, también conocida como "skeleton key".

A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A).

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-10-23 CVE Reserved
2016-01-26 CVE Published
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication
CWE-304: Missing Critical Step in Authentication

CAPEC

References (16)

URL	Tag	Source
http://www.securityfocus.com/bid/81960	Third Party Advisory
http://www.securitytracker.com/id/1034782	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf	Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03750en_us	Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03766en_us	Third Party Advisory
https://security.netapp.com/advisory/ntap-20171031-0001	Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11	Third Party Advisory

URL	Date	SRC
http://www.talosintel.com/reports/TALOS-2016-0071	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://bugs.ntp.org/show_bug.cgi?id=2936	2021-04-26
http://rhn.redhat.com/errata/RHSA-2016-2583.html	2021-04-26
http://support.ntp.org/bin/view/Main/NtpBug2936	2021-04-26
http://www.debian.org/security/2016/dsa-3629	2021-04-26
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc	2021-04-26
https://security.gentoo.org/glsa/201607-15	2021-04-26
https://access.redhat.com/security/cve/CVE-2015-7974	2016-11-03
https://bugzilla.redhat.com/show_bug.cgi?id=1297471	2016-11-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Siemens Search vendor "Siemens"	Tim 4r-ie Firmware Search vendor "Siemens" for product "Tim 4r-ie Firmware"	*	-	Affected	in	Siemens Search vendor "Siemens"	Tim 4r-ie Search vendor "Siemens" for product "Tim 4r-ie"	-	-	Safe
Siemens Search vendor "Siemens"	Tim 4r-ie Dnp3 Firmware Search vendor "Siemens" for product "Tim 4r-ie Dnp3 Firmware"	*	-	Affected	in	Siemens Search vendor "Siemens"	Tim 4r-ie Dnp3 Search vendor "Siemens" for product "Tim 4r-ie Dnp3"	-	-	Safe
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				>= 4.2.0 < 4.2.8 Search vendor "Ntp" for product "Ntp" and version " >= 4.2.0 < 4.2.8"		-		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				>= 4.3.0 < 4.3.90 Search vendor "Ntp" for product "Ntp" and version " >= 4.3.0 < 4.3.90"		-		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		-		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-beta1		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-beta2		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-beta3		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-beta4		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-beta5		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-rc1		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p1-rc2		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p2		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p2-rc1		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p2-rc2		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p2-rc3		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p3		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p3-rc1		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p3-rc2		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p3-rc3		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p4		Affected
Ntp Search vendor "Ntp"		Ntp Search vendor "Ntp" for product "Ntp"				4.2.8 Search vendor "Ntp" for product "Ntp" and version "4.2.8"		p5		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Netapp Search vendor "Netapp"		Oncommand Balance Search vendor "Netapp" for product "Oncommand Balance"				-		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected