ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
13 Feb 2023, 00:49
Type | Values Removed | Values Added |
---|---|---|
Summary | ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. | |
References |
|
02 Feb 2023, 15:16
Type | Values Removed | Values Added |
---|---|---|
Summary | A flaw was found in the way the ntp-keygen utility generated MD5 symmetric keys on big-endian systems. An attacker could possibly use this flaw to guess generated MD5 keys, which could then be used to spoof an NTP client or server. | |
References |
|
Information
Published : 2017-08-09 16:29
Updated : 2023-12-10 12:15
NVD link : CVE-2015-3405
Mitre link : CVE-2015-3405
CVE.ORG link : CVE-2015-3405
JSON object : View
Products Affected
redhat
- enterprise_linux_for_scientific_computing
- enterprise_linux_workstation
- enterprise_linux_desktop
- enterprise_linux_server
- enterprise_linux_server_from_rhui_6
- enterprise_linux_for_ibm_z_systems
- enterprise_linux_for_power_big_endian
opensuse_project
- suse_linux_enterprise_desktop
fedoraproject
- fedora
ntp
- ntp
opensuse
- suse_linux_enterprise_server
debian
- debian_linux
suse
- suse_linux_enterprise_server
CWE
CWE-331
Insufficient Entropy