#VU29293 Memory leak in ntp - CVE-2020-15025

Cybersecurity Help s.r.o.

Published: 2020-06-25 | Updated: 2020-06-29

Vulnerability identifier: #VU29293

Vulnerability risk: Low

CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-15025

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ntp
Server applications / Other server solutions

Vendor: ntp.org

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing CMAC authentication. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ntp: 4.2.8p11 - 4.3.100

External links
https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/NEWS

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS SP3 update for ntp

openEuler 20.03 LTS SP1 update for ntp

openEuler 20.03 LTS update for ntp

Gentoo update for NTP

OpenSUSE Linux update for ntp

Slackware Linux update for ntp

Memory leak in ntp