#VU29293 Memory leak in ntp


Published: 2020-06-25 | Updated: 2020-06-29

Vulnerability identifier: #VU29293

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-15025

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ntp
Server applications / Other server solutions

Vendor: ntp.org

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when processing CMAC authentication. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ntp: 4.2.8p11 - 4.3.100

External links
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/NEWS

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 20.03 LTS SP3 update for ntp
openEuler 20.03 LTS SP1 update for ntp
openEuler 20.03 LTS update for ntp
Gentoo update for NTP
OpenSUSE Linux update for ntp
OpenSUSE Linux update for ntp
Slackware Linux update for ntp
Memory leak in ntp