Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-11868: NTP BUG 3592: DoS Attack on Unauthenticated Client

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

CVE
#rce#auth

Summary

Resolved

4.2.8p14

03 Mar 2020

References

Bug 3592

CVE-2020-11868

Affects

ntp-4.2.8p12 (possibly earlier) and ntp-4.2.8p13,
and 4.3.98 up to, but not including 4.3.100.

Resolved in 4.2.8p14 and 4.3.100.

CVSS2 Score

5.4

AV:N/AC:H/Au:N/C:N/I:N/A:C

CVSS3 Score

5.9

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

The fix for 3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim’s next poll to its source to be delayed, for as long as the attack is maintained.

Mitigation

  • Use authentication with symmetric peers.
  • Have enough sources of time.
  • Upgrade to 4.2.8p14 or later.

Credit

Reported by Miroslav Lichvar.

Timeline

  • 2020 Mar 03: Public release
  • 2020 Feb 17: Early Access Program Release: Premier and Partner Institutional Members
  • 2019 Jun 05: Notification to Institutional Members
  • 2019 May 30: Notification from reporter

Feedback

Was this page helpful?

Glad to hear it!

Sorry to hear that.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907