High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2015-7703
High
Low
Medium
High
Critical
7.5
CVSS Score
Vulnerability Description
The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
H
Availability
N
Known Affected Software
110 configuration(s) from 5 vendor(s)
debian_linux
Version:
8.0
CPE:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian_linux
Version:
7.0
CPE:
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debian_linux
Version:
9.0
CPE:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
oncommand_performance_manager
Version:
-
CPE:
cpe:2.3:a:netapp:oncommand_performance_manager:-:*:*:*:*:*:*:*
data_ontap
Version:
-
CPE:
cpe:2.3:o:netapp:data_ontap:-:*:*:*:*:*:*:*
clustered_data_ontap
Version:
-
CPE:
cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
oncommand_unified_manager
Version:
-
CPE:
cpe:2.3:a:netapp:oncommand_unified_manager:-:*:*:*:*:*:*:*
ntp
Version:
4.3.75
CPE:
cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:*
ntp
Version:
4.3.70
CPE:
cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:*
ntp
Version:
4.3.6
CPE:
cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*
ntp
Version:
4.3.44
CPE:
cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:*
ntp
Version:
4.2.8
CPE:
cpe:2.3:a:ntp:ntp:4.2.8:p15:*:*:*:*:*:*
ntp
Version:
4.3.26
CPE:
cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:*
ntp
Version:
4.3.60
CPE:
cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:*
ntp
Version:
4.3.47
CPE:
cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:*
ntp
Version:
4.3.35
CPE:
cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:*
ntp
Version:
4.3.37
CPE:
cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:*
ntp
Version:
4.2.6
CPE:
cpe:2.3:a:ntp:ntp:4.2.6:p2:*:*:*:*:*:*
ntp
Version:
4.3.58
CPE:
cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:*
ntp
Version:
4.3.32
CPE:
cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:*
ntp
Version:
4.3.22
CPE:
cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:*
ntp
Version:
4.3.15
CPE:
cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:*
ntp
Version:
4.3.76
CPE:
cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:*
ntp
Version:
4.3.62
CPE:
cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:*
ntp
Version:
4.3.38
CPE:
cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:*
ntp
Version:
4.3.57
CPE:
cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:*
ntp
Version:
4.3.7
CPE:
cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*
ntp
Version:
4.2.5
CPE:
cpe:2.3:a:ntp:ntp:4.2.5:p241_rc1:*:*:*:*:*:*
ntp
Version:
4.3.40
CPE:
cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:*
ntp
Version:
4.3.73
CPE:
cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:*
ntp
Version:
4.3.46
CPE:
cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:*
ntp
Version:
4.3.61
CPE:
cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:*
ntp
Version:
4.3.4
CPE:
cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*
ntp
Version:
4.3.72
CPE:
cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:*
ntp
Version:
4.3.8
CPE:
cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*
ntp
Version:
4.3.52
CPE:
cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:*
ntp
Version:
4.2.2
CPE:
cpe:2.3:a:ntp:ntp:4.2.2:p2:*:*:*:*:*:*
ntp
Version:
4.3.17
CPE:
cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:*
ntp
Version:
4.3.66
CPE:
cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:*
ntp
Version:
4.3.64
CPE:
cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:*
ntp
Version:
4.3.24
CPE:
cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:*
ntp
Version:
4.3.3
CPE:
cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*
ntp
Version:
4.3.48
CPE:
cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:*
ntp
Version:
4.3.0
CPE:
cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*
ntp
Version:
4.3.27
CPE:
cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:*
ntp
Version:
4.3.19
CPE:
cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:*
ntp
Version:
4.3.45
CPE:
cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:*
ntp
Version:
4.3.67
CPE:
cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:*
ntp
Version:
4.3.16
CPE:
cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:*
ntp
Version:
4.3.2
CPE:
cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*
ntp
Version:
4.2.4
CPE:
cpe:2.3:a:ntp:ntp:4.2.4:p0:*:*:*:*:*:*
ntp
Version:
4.3.18
CPE:
cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:*
ntp
Version:
4.2.7
CPE:
cpe:2.3:a:ntp:ntp:4.2.7:-:*:*:*:*:*:*
ntp
Version:
4.3.51
CPE:
cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:*
ntp
Version:
4.3.56
CPE:
cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:*
ntp
Version:
4.3.34
CPE:
cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:*
ntp
Version:
4.3.69
CPE:
cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:*
ntp
Version:
4.3.28
CPE:
cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:*
ntp
Version:
4.3.59
CPE:
cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:*
ntp
Version:
4.3.71
CPE:
cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:*
ntp
Version:
4.3.10
CPE:
cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*
ntp
Version:
4.3.20
CPE:
cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:*
ntp
Version:
4.3.74
CPE:
cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:*
ntp
Version:
4.3.65
CPE:
cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:*
ntp
Version:
4.3.14
CPE:
cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:*
ntp
Version:
4.3.43
CPE:
cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:*
ntp
Version:
4.3.49
CPE:
cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:*
ntp
Version:
4.3.12
CPE:
cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:*
ntp
Version:
4.3.50
CPE:
cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:*
ntp
Version:
4.3.1
CPE:
cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*
ntp
Version:
4.3.13
CPE:
cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:*
ntp
Version:
4.3.9
CPE:
cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:*
ntp
Version:
4.3.5
CPE:
cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*
ntp
Version:
4.2.0
CPE:
cpe:2.3:a:ntp:ntp:4.2.0:*:*:*:*:*:*:*
ntp
Version:
4.3.41
CPE:
cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:*
ntp
Version:
4.3.30
CPE:
cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:*
ntp
Version:
4.3.36
CPE:
cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:*
ntp
Version:
4.3.11
CPE:
cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*
ntp
Version:
4.3.55
CPE:
cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:*
ntp
Version:
4.3.21
CPE:
cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:*
ntp
Version:
4.3.33
CPE:
cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:*
ntp
Version:
4.3.53
CPE:
cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:*
ntp
Version:
4.3.31
CPE:
cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:*
ntp
Version:
4.3.23
CPE:
cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:*
ntp
Version:
4.3.68
CPE:
cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:*
ntp
Version:
4.3.39
CPE:
cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:*
ntp
Version:
4.3.29
CPE:
cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:*
ntp
Version:
4.3.63
CPE:
cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:*
ntp
Version:
4.3.42
CPE:
cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:*
ntp
Version:
4.3.54
CPE:
cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:*
ntp
Version:
4.3.25
CPE:
cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:*
linux
Version:
6
CPE:
cpe:2.3:o:oracle:linux:6:10:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
enterprise_linux_workstation
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_eus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.3:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.4
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
7.4
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
enterprise_linux_server
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:x86:*
enterprise_linux_server_tus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.7
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:*
enterprise_linux_server
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_aus
Version:
7.6
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
enterprise_linux_server_aus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
enterprise_linux_desktop
Version:
7.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:x64:*
enterprise_linux_server_aus
Version:
7.7
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
enterprise_linux_server_eus
Version:
7.5
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
enterprise_linux_desktop
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:x64:*
enterprise_linux_server_tus
Version:
7.3
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
enterprise_linux_server_tus
Version:
7.7
CPE:
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
enterprise_linux_workstation
Version:
6.0
CPE:
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:x86:*
This vulnerability affects 110 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://rhn.redhat.com/errata/RHSA-2016-0780.htmlcve@mitre.org Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2583.htmlcve@mitre.org Third Party Advisory
-
http://support.ntp.org/bin/view/Main/NtpBug2902cve@mitre.org Vendor Advisory
-
http://www.debian.org/security/2015/dsa-3388cve@mitre.org Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlcve@mitre.org Third Party Advisory
-
http://www.securityfocus.com/bid/77278cve@mitre.org Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1033951cve@mitre.org Third Party Advisory VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1254547cve@mitre.org Issue Tracking Third Party Advisory VDB Entry
-
https://security.gentoo.org/glsa/201607-15cve@mitre.org Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20171004-0001/cve@mitre.org Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-0780.htmlaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2583.htmlaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
http://support.ntp.org/bin/view/Main/NtpBug2902af854a3a-2127-422b-91ae-364da2661108 Vendor Advisory
-
http://www.debian.org/security/2015/dsa-3388af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlaf854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
http://www.securityfocus.com/bid/77278af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
http://www.securitytracker.com/id/1033951af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1254547af854a3a-2127-422b-91ae-364da2661108 Issue Tracking Third Party Advisory VDB Entry
-
https://security.gentoo.org/glsa/201607-15af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20171004-0001/af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
Severity Details
7.5
out of 10.0
High
Weakness Type (CWE)
CWE-20
Top 25 #14
Improper Input Validation
- Description
- The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- Exploit Likelihood
- High
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- July 24, 2017
