NTP BUG 2909: Slow memory leak in CRYPTO_ASSOC

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p4	21 Oct 2015
References	Bug 2909	CVE-2015-7701
Affects	All ntp-4 releases that use autokey up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77.	Resolved in 4.2.8p4.
CVSS2 Score	0.0 best/usual case, 4.6 otherwise	AV:N/AC:H/Au:M/C:N/I:N/A:C

---

Description

If ntpd is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory.

---

Mitigation

• Don’t use autokey.
• Upgrade to 4.2.8p4 or later.
• Monitor your ntpd instances.

---

Credit

This weakness was discovered by Tenable Network Security.

---

Timeline

• 2015 Oct 21: Public release
• 2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
• 2015 Aug 20: Initial notification of 2902; analysis begins
• 2015 Aug 11: Initial notification of 2899; analysis begins