6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.8%
CVE-2015-7849
An exploitable use-after-free vulnerability exists in the password management functionality of the Network Time Protocol. A specially crafted key file could cause a buffer overflow resulting in memory corruption. An attacker could provide a malicious password file to trigger this vulnerability.
ntp 4.2.8p2
The function authdelkeys() will free all the keys that are used for user authentication. In the case of normal keys, they will also be removed from the list of keys. However in the case of trusted keys, the memory holding the keys will be freed but the pointer to that memory location will not be set to NULL.
This is the code at line 598 in authkeys.c:
if (KEY_TRUSTED & sk->flags) {
if (sk->secret != NULL) {
memset(sk->secret, '\0', sk->secretsize);
free(sk->secret);
}
sk->secretsize = 0;
sk->lifetime = 0;
} else {
Since the key is still in the linked list it will simply be copied to at line 541 in authkeys.c:
for (sk = *bucket; sk != NULL; sk = sk->hlink) {
if (keyno == sk->keyid) {
sk->type = (u_short)keytype;
secretsize = len;
sk->secretsize = (u_short)secretsize;
#ifndef DISABLE_BUG1243_FIX
memcpy(sk->secret, key, secretsize);
Reuse of a previous buffer can lead to inconsistencies in authentication tokens or memory corruption.
Yves Younan of Cisco Talos
Vulnerability Reports Next Report
TALOS-2015-0055
Previous Report
TALOS-2015-0052
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.8%