The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-15025

CVE-2020-15025: NTP Denial of Service (DoS) Vulnerability

CVE-2020-15025 is a denial of service vulnerability in NTP that allows attackers to cause memory consumption through CMAC key exploitation. This article covers the technical details, affected versions, and mitigation steps.

Published: March 4, 2026

CVE-2020-15025 Overview

CVE-2020-15025 is a memory leak vulnerability affecting the ntpd service in NTP versions 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101. This denial of service vulnerability allows remote attackers to cause memory consumption by sending specially crafted packets when CMAC keys are configured in the ntp.keys file.

The vulnerability arises because memory is not properly freed in situations where a CMAC (Cipher-based Message Authentication Code) key is used and associated with a CMAC algorithm. An authenticated attacker with high privileges can exploit this flaw to gradually exhaust system memory resources, ultimately leading to service degradation or complete denial of service.

Critical Impact

Authenticated remote attackers can cause denial of service through memory exhaustion by sending packets to NTP servers configured with CMAC keys, potentially disrupting critical time synchronization services across enterprise networks.

Affected Products

  • NTP ntp versions 4.2.8 through 4.2.8p14 and 4.3.x before 4.3.101
  • openSUSE Leap 15.1 and 15.2
  • NetApp Cloud Backup and SteelStore Cloud Integrated Storage
  • NetApp Hardware (8300, 8700, A400, H410C, H300S, H500S, H700S, H300E, H500E, H700E, H410S series)
  • Oracle ZFS Storage Appliance Kit 8.8

Discovery Timeline

  • June 24, 2020 - CVE-2020-15025 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-15025

Vulnerability Analysis

This vulnerability (CWE-401: Missing Release of Memory after Effective Lifetime) represents a classic memory leak condition in the NTP daemon's packet processing logic. When the ntpd service processes incoming packets and the server is configured to use CMAC authentication keys, the allocated memory for handling these packets is not properly released after processing is complete.

The attack requires network access and elevated privileges (authenticated attacker), but once conditions are met, an attacker can systematically exhaust available system memory by sending a sustained volume of packets. This makes the vulnerability particularly concerning for critical infrastructure systems that rely on NTP for time synchronization, including financial systems, logging infrastructure, and distributed computing environments.

Root Cause

The root cause lies in the memory management code path within ntpd when handling CMAC key operations. Specifically, when a CMAC key is configured in the ntp.keys file and associated with a CMAC algorithm, the memory allocated for processing authentication-related operations is not deallocated after the packet handling completes. This leads to a gradual accumulation of unreleased memory blocks, eventually consuming all available system resources.

Attack Vector

The attack vector is network-based, requiring an authenticated attacker with elevated privileges to send packets to the vulnerable NTP server. The attack exploits the memory leak by sending repeated packets that trigger the CMAC authentication code path, gradually exhausting memory over time.

The exploitation mechanism involves:

  1. Identifying an NTP server running a vulnerable version with CMAC keys configured
  2. Establishing an authenticated session (requiring valid credentials)
  3. Sending continuous packets that exercise the CMAC authentication pathway
  4. Memory accumulates without being freed, eventually causing service degradation

Since this vulnerability requires authentication and high privileges, mass exploitation is less likely, but targeted attacks against specific infrastructure remain a concern.

Detection Methods for CVE-2020-15025

Indicators of Compromise

  • Abnormally high memory consumption by the ntpd process over time
  • Gradual increase in resident memory size for NTP daemon without corresponding increase in connections
  • System out-of-memory (OOM) events affecting ntpd or related services
  • Unusual volume of NTP authentication requests from specific sources

Detection Strategies

  • Monitor ntpd process memory usage trends over time using tools like ps, top, or process monitoring solutions
  • Implement alerting for ntpd memory consumption exceeding baseline thresholds
  • Review NTP access logs for unusual patterns of authenticated requests
  • Check for CMAC key configurations in /etc/ntp.keys or equivalent configuration files

Monitoring Recommendations

  • Configure system monitoring to track ntpd process RSS (Resident Set Size) memory metrics
  • Set up alerting thresholds for abnormal memory growth patterns in time synchronization services
  • Implement network flow analysis to detect anomalous NTP traffic patterns
  • Review and baseline normal NTP authentication activity to identify deviations

How to Mitigate CVE-2020-15025

Immediate Actions Required

  • Update NTP to version 4.2.8p15 or 4.3.101 or later immediately
  • Review ntp.keys configuration files to identify systems using CMAC authentication
  • Implement memory monitoring for ntpd processes to detect active exploitation attempts
  • Consider restricting NTP authentication to trusted sources only

Patch Information

The NTP Project has released patched versions addressing this vulnerability. Organizations should upgrade to NTP version 4.2.8p15 or 4.3.101 or later. Detailed patch information is available through the NTP Bug Report #3661 and the NTP Security Notice for June 2020.

Vendor-specific patches are also available from:

  • NetApp Security Advisory ntap-20200702-0002
  • Gentoo GLSA 202007-12
  • Oracle Critical Patch Update January 2021

Workarounds

  • If immediate patching is not possible, consider temporarily disabling CMAC key authentication in the NTP configuration
  • Implement strict access controls limiting which hosts can authenticate to the NTP server
  • Configure firewall rules to restrict NTP access to only trusted and necessary clients
  • Implement automated restart procedures for ntpd if memory thresholds are exceeded as a temporary mitigation
bash
# Check current NTP version
ntpd --version

# Verify CMAC key usage in configuration
grep -i cmac /etc/ntp.keys

# Monitor ntpd memory consumption
ps aux | grep ntpd | awk '{print "Memory (RSS):", $6, "KB"}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechNtp
  • SeverityMEDIUM
  • CVSS Score4.9
  • EPSS Probability3.12%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-401
  • Technical References
  • openSUSE Security Announcement
  • openSUSE Security Announcement
  • Gentoo Bug Report #729458
  • Gentoo GLSA 202007-12
  • NetApp Security Advisory ntap-20200702-0002
  • Vendor Resources
  • NTP Bug Report #3661
  • NTP Security Notice June 2020
  • Oracle Critical Patch Update January 2021
  • Related CVEs
  • CVE-2020-13817: NTP Daemon Denial of Service Vulnerability
  • CVE-2020-11868: NTP Denial of Service Vulnerability
  • CVE-2023-26555: NTP Buffer Overflow Vulnerability
  • CVE-2023-26554: NTP Buffer Overflow Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English