Improper Input Validation Affecting ntp package, versions <1:4.2.8p14+dfsg-1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-NTP-570548
- published 28 May 2020
- disclosed 6 May 2020
How to fix?
Upgrade Debian:11 ntp to version 1:4.2.8p14+dfsg-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ntp package and not the ntp package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. The attacker must either be a part of the same broadcast network or control a slave in that broadcast network that can capture certain required packets on the attacker's behalf and send them to the attacker.
References
- https://security-tracker.debian.org/tracker/CVE-2018-8956
- https://arxiv.org/abs/2005.01783
- https://nikhiltripathi.in/NTP_attack.pdf
- https://tools.ietf.org/html/rfc5905
- http://www.ntp.org/
- https://security.netapp.com/advisory/ntap-20200518-0006/
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html