CVE-2020-15025 — MEDIUM (4.4)

Q: How severe is CVE-2020-15025?

CVE-2020-15025 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-15025?

Check the references section above for vendor advisories and patch information. Affected products include: Ntp Ntp, Opensuse Leap, Netapp Cloud Backup, Netapp Steelstore Cloud Integrated Storage, Netapp 8300 Firmware.

Vulnerability Description

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.

CVSS Score

4.4

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ntp	Ntp	>= 4.3.97, < 4.3.101
Opensuse	Leap	15.1
Netapp	Cloud Backup	-
Netapp	Steelstore Cloud Integrated Storage	-
Netapp	8300 Firmware	-
Netapp	8300	-
Netapp	8700 Firmware	-
Netapp	8700	-
Netapp	A400 Firmware	-
Netapp	A400	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H300E Firmware	-
Netapp	H300E	-

Related Weaknesses (CWE)

CWE-401

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing ListThird Party Advisory
https://bugs.gentoo.org/729458Issue TrackingThird Party Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0002/Third Party Advisory
https://support.ntp.org/bin/view/Main/NtpBug3661Vendor Advisory
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Release NotesVendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing ListThird Party Advisory
https://bugs.gentoo.org/729458Issue TrackingThird Party Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200702-0002/Third Party Advisory
https://support.ntp.org/bin/view/Main/NtpBug3661Vendor Advisory
https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Release NotesVendor Advisory

FAQ

What is CVE-2020-15025?

CVE-2020-15025 is a vulnerability with a CVSS score of 4.4 (MEDIUM). ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where...

How severe is CVE-2020-15025?

CVE-2020-15025 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-15025?

Check the references section above for vendor advisories and patch information. Affected products include: Ntp Ntp, Opensuse Leap, Netapp Cloud Backup, Netapp Steelstore Cloud Integrated Storage, Netapp 8300 Firmware.