CVE-2015-5300
Public on 2015-10-27
Modified on 2015-10-27
Description
It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | ntp | 2015-10-27 | ALAS-2015-607 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |