High severity7.5NVD Advisory· Published Aug 9, 2017· Updated May 13, 2026

CVE-2015-3405

Description

ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys.

Affected products

Ntp/Ntp15 versions
cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p2:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:*
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Fedoraproject/Fedora
cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
OpenSUSE/Suse Linux Enterprise Desktop
cpe:2.3:o:opensuse_project:suse_linux_enterprise_desktop:11.0:sp3:*:*:*:*:*:*
OpenSUSE/Suse Linux Enterprise Server
cpe:2.3:o:opensuse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*
Red Hat/Enterprise Linux Desktop
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Ibm Z Systems
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Power Big Endian
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Scientific Computing
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server From Rhui 6
cpe:2.3:o:redhat:enterprise_linux_server_from_rhui_6:6.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Workstation
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
SUSE S.A./Linux Enterprise Server
cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:vmware:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party AdvisoryVDB Entry
bk1.ntp.org/ntp-stable/nvdThird Party AdvisoryVendor Advisory
lists.fedoraproject.org/pipermail/package-announce/2015-April/156248.htmlnvdThird Party Advisory
lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.htmlnvdThird Party Advisory
rhn.redhat.com/errata/RHSA-2015-1459.htmlnvdThird Party AdvisoryVDB Entry
rhn.redhat.com/errata/RHSA-2015-2231.htmlnvdThird Party AdvisoryVDB Entry
www.debian.org/security/2015/dsa-3223nvdThird Party Advisory
www.debian.org/security/2015/dsa-3388nvdThird Party Advisory
www.openwall.com/lists/oss-security/2015/04/23/14nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/74045nvdThird Party AdvisoryVDB Entry
bugs.ntp.org/show_bug.cginvdIssue TrackingThird Party AdvisoryVendor Advisory
www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvd
www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.htmlnvd
support.hpe.com/hpsc/doc/public/displaynvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.013
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000