CVE-2015-7974
Summary
| CVE | CVE-2015-7974 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-01-26 19:59:00 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." |
Risk And Classification
Primary CVSS: v3.1 7.7 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Problem Types: CWE-287 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.7 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
| 2.0 | [email protected] | Primary | 4 | AV:N/AC:L/Au:S/C:N/I:P/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
ChangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
SingleConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:L/Au:S/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Siemens TIM 4R-IE Devices | CISA | af854a3a-2127-422b-91ae-364da2661108 | us-cert.cisa.gov | Third Party Advisory, US Government Resource |
| NTP CVE-2015-7974 Symmetric Key Encryption Authentication Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Bug 2936 – Skeleton Key: Any system knowing the trusted key can serve time | af854a3a-2127-422b-91ae-364da2661108 | bugs.ntp.org | Issue Tracking, Vendor Advisory |
| cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf | af854a3a-2127-422b-91ae-364da2661108 | cert-portal.siemens.com | Third Party Advisory |
| security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc | af854a3a-2127-422b-91ae-364da2661108 | security.FreeBSD.org | Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| NTP: Multiple vulnerabilities (GLSA 201607-15) — Gentoo Security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | Third Party Advisory |
| January 2016 Network Time Protocol Daemon (ntpd) Vulnerabilities in NetApp Products | NetApp Product Security | af854a3a-2127-422b-91ae-364da2661108 | security.netapp.com | Third Party Advisory |
| support.ntp.org/bin/view/Main/NtpBug2936 | af854a3a-2127-422b-91ae-364da2661108 | support.ntp.org | Vendor Advisory |
| Debian -- Security Information -- DSA-3629-1 ntp | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Cisco Talos - Talos 2016 0071 | af854a3a-2127-422b-91ae-364da2661108 | www.talosintel.com | Exploit, Third Party Advisory |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | Third Party Advisory |
| ntp Multiple Flaws Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, and Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 590721 Siemens TIM 4R-IE Devices Multiple Vulnerabilities (ICSA-21-103-11)