NTP BUG 2909: Slow memory leak in CRYPTO_ASSOC

Last update: June 28, 2022 20:06 UTC (57417e17c)


Summary

Resolved 4.2.8p4 21 Oct 2015
References Bug 2909 CVE-2015-7701
Affects All ntp-4 releases that use autokey up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77.
Resolved in 4.2.8p4.
CVSS2 Score 0.0 best/usual case, 4.6 otherwise AV:N/AC:H/Au:M/C:N/I:N/A:C

Description

If ntpd is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory.


Mitigation


Credit

This weakness was discovered by Tenable Network Security.


Timeline