CVE-2015-7849

high-risk
Published 2017-08-07

Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to possibly execute arbitrary code or cause a denial of service (crash) via crafted packets.

Do I need to act?

~
3.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (20)

Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp
Ntp

Affected Vendors

Ntp Netapp

References (12)

Patch http://support.ntp.org/bin/view/Main/NtpBug2916
Third Party Advisory http://www.securityfocus.com/bid/77276
Third Party Advisory http://www.securitytracker.com/id/1033951
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1274257
Third Party Advisory https://security.gentoo.org/glsa/201607-15
Third Party Advisory https://security.netapp.com/advisory/ntap-20171004-0001/
Patch http://support.ntp.org/bin/view/Main/NtpBug2916
Third Party Advisory http://www.securityfocus.com/bid/77276
Third Party Advisory http://www.securitytracker.com/id/1033951
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1274257
Third Party Advisory https://security.gentoo.org/glsa/201607-15
Third Party Advisory https://security.netapp.com/advisory/ntap-20171004-0001/
58
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 7/34 · Low
Exposure 21/34 · High