CVE-2015-7851 - OpenCVE

Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ntp	Ntp

Configuration 1 [-]

OR	cpe:2.3:a:ntp:ntp::::::::
	cpe:2.3:a:ntp:ntp::::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p2::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p3::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2::::::
	cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3::::::

References

Link	Resource
http://support.ntp.org/bin/view/Main/NtpBug2918	Vendor Advisory
http://support.ntp.org/bin/view/Main/SecurityNotice	Release Notes Vendor Advisory
http://www.talosintel.com/reports/TALOS-2015-0062/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-01-28T16:35:21

Updated: 2020-01-28T16:35:21

Reserved: 2015-10-16T00:00:00

Link: CVE-2015-7851

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-28T17:15:12.053

Modified: 2020-06-18T18:33:45.227

Link: CVE-2015-7851

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-21T00:00:00", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-28T16:35:21", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.talosintel.com/reports/TALOS-2015-0062/"}, {"tags": ["x_refsource_MISC"], "url": "http://support.ntp.org/bin/view/Main/SecurityNotice"}, {"tags": ["x_refsource_MISC"], "url": "http://support.ntp.org/bin/view/Main/NtpBug2918"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-7851", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.talosintel.com/reports/TALOS-2015-0062/", "refsource": "MISC", "url": "http://www.talosintel.com/reports/TALOS-2015-0062/"}, {"name": "http://support.ntp.org/bin/view/Main/SecurityNotice", "refsource": "MISC", "url": "http://support.ntp.org/bin/view/Main/SecurityNotice"}, {"name": "http://support.ntp.org/bin/view/Main/NtpBug2918", "refsource": "MISC", "url": "http://support.ntp.org/bin/view/Main/NtpBug2918"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-7851", "datePublished": "2020-01-28T16:35:21", "dateReserved": "2015-10-16T00:00:00", "dateUpdated": "2020-01-28T16:35:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*", "matchCriteriaId": "C240BAAB-8C12-4501-9DC6-FB877304E908", "versionEndExcluding": "4.2.8", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:*:*:*:*:*:*:*:*", "matchCriteriaId": "79494F07-6081-497D-8A2D-B05486599EAE", "versionEndExcluding": "4.3.77", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*", "matchCriteriaId": "C855BBD2-2B38-4EFF-9DBE-CA61CCACD0DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1:*:*:*:*:*:*", "matchCriteriaId": "49ADE0C3-F75C-4EC0-8805-56013F0EB92C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2:*:*:*:*:*:*", "matchCriteriaId": "D8FF625A-EFA3-43D1-8698-4A37AE31A07C", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3:*:*:*:*:*:*", "matchCriteriaId": "E3B99BBD-97FE-4615-905A-A614592226F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4:*:*:*:*:*:*", "matchCriteriaId": "E7A9AD3A-F030-4331-B52A-518BD963AB8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5:*:*:*:*:*:*", "matchCriteriaId": "C293B8BE-6691-4944-BCD6-25EB98CABC73", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1:*:*:*:*:*:*", "matchCriteriaId": "CEA650F8-2576-494A-A861-61572CA319D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2:*:*:*:*:*:*", "matchCriteriaId": "4ED21EE8-7CBF-4BC5-BFC3-185D41296238", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p2:*:*:*:*:*:*", "matchCriteriaId": "C76A0B44-13DE-4173-8D05-DA54F6A71759", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1:*:*:*:*:*:*", "matchCriteriaId": "1450241C-2F6D-4122-B33C-D78D065BA403", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2:*:*:*:*:*:*", "matchCriteriaId": "721AFD22-91D3-488E-A5E6-DD84C86E412B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3:*:*:*:*:*:*", "matchCriteriaId": "8D6ADDB1-2E96-4FF6-AE95-4B06654D38B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:*", "matchCriteriaId": "41E44E9F-6383-4E12-AEDC-B653FEA77A48", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1:*:*:*:*:*:*", "matchCriteriaId": "466D9A37-2658-4695-9429-0C6BF4A631C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2:*:*:*:*:*:*", "matchCriteriaId": "99774181-5F12-446C-AC2C-DB1C52295EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3:*:*:*:*:*:*", "matchCriteriaId": "4427EE6D-3F79-4FF5-B3EC-EE6BD01562CE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files."}, {"lang": "es", "value": "La vulnerabilidad salto de directorio en la funci\u00f3n save_config en ntpd en el archivo ntp_control.c en NTP versiones anteriores a 4.2.8p4, cuando es usado en sistemas que no utilizan caracteres \"\\\" o '\"/\" para la separaci\u00f3n de directorios como OpenVMS, permite a usuarios autenticados remotos sobrescribir archivos arbitrarios."}], "id": "CVE-2015-7851", "lastModified": "2020-06-18T18:33:45.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-28T17:15:12.053", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://support.ntp.org/bin/view/Main/NtpBug2918"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://support.ntp.org/bin/view/Main/SecurityNotice"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.talosintel.com/reports/TALOS-2015-0062/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}