CVE-2015-3405

Low

Low Medium High Critical

CVSS Score

Published: Aug 09, 2017

Last Modified: Apr 20, 2025

Vulnerability Description

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

Known Affected Software

26 configuration(s) from 7 vendor(s)

debian_linux

Version:

8.0

CPE:

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

debian_linux

Version:

7.0

CPE:

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

fedora

Version:

CPE:

cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*

ntp

Version:

4.3.6

CPE:

cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*

ntp

Version:

4.2.8

CPE:

cpe:2.3:a:ntp:ntp:4.2.8:p15:*:*:*:*:*:*

ntp

Version:

4.3.7

CPE:

cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*

ntp

Version:

4.3.4

CPE:

cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*

ntp

Version:

4.3.8

CPE:

cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*

ntp

Version:

4.3.3

CPE:

cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*

ntp

Version:

4.3.0

CPE:

cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*

ntp

Version:

4.3.2

CPE:

cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*

ntp

Version:

4.3.10

CPE:

cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*

ntp

Version:

4.3.1

CPE:

cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*

ntp

Version:

4.3.9

CPE:

cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:*

ntp

Version:

4.3.5

CPE:

cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*

ntp

Version:

4.3.11

CPE:

cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*

suse_linux_enterprise_server

Version:

11.0

CPE:

cpe:2.3:o:opensuse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*

suse_linux_enterprise_desktop

Version:

11.0

CPE:

cpe:2.3:o:opensuse_project:suse_linux_enterprise_desktop:11.0:sp3:*:*:*:*:*:*

enterprise_linux_for_scientific_computing

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:*:*:*:*:*:x64:*

enterprise_linux_server_from_rhui_6

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_server_from_rhui_6:6.0:*:*:*:*:*:*:*

enterprise_linux_server

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:x86:*

enterprise_linux_for_ibm_z_systems

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:*:*:*:*:*:*:*

enterprise_linux_desktop

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:x64:*

enterprise_linux_for_power_big_endian

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:*:*:*:*:*:*:*

enterprise_linux_workstation

Version:

6.0

CPE:

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:x86:*

suse_linux_enterprise_server

Version:

11.0

CPE:

cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:vmware:*:*

This vulnerability affects 26 software configuration(s). Ensure you patch all affected systems.

References & Resources

Severity Details

out of 10.0

Low

Weakness Type (CWE)

CWE-331

Insufficient Entropy

Description: The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Typical Severity: Medium
Abstraction Level: Base