Lucene search

[email protected]CVE-2020-11868

HistoryApr 17, 2020 - 4:15 a.m.

CVE-2020-11868

2020-04-1704:15:10

CWE-346

[email protected]

web.nvd.nist.gov

467

ntp

ntpd

cve-2020-11868

network security

ip spoofing

packet synchronization

off-path attacker

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.3%

JSON

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

Affected configurations

NVD

Node

ntpntpRange≤4.2.7

ntpntpRange4.3.98–4.3.100

ntpntpMatch4.2.8-

ntpntpMatch4.2.8p1

ntpntpMatch4.2.8p1-beta1

ntpntpMatch4.2.8p1-beta2

ntpntpMatch4.2.8p1-beta3

ntpntpMatch4.2.8p1-beta4

ntpntpMatch4.2.8p1-beta5

ntpntpMatch4.2.8p1-rc1

ntpntpMatch4.2.8p1-rc2

ntpntpMatch4.2.8p10

ntpntpMatch4.2.8p11

ntpntpMatch4.2.8p12

ntpntpMatch4.2.8p13

ntpntpMatch4.2.8p2

ntpntpMatch4.2.8p2-rc1

ntpntpMatch4.2.8p2-rc2

ntpntpMatch4.2.8p2-rc3

ntpntpMatch4.2.8p3

ntpntpMatch4.2.8p3-rc1

ntpntpMatch4.2.8p3-rc2

ntpntpMatch4.2.8p3-rc3

ntpntpMatch4.2.8p4

ntpntpMatch4.2.8p5

ntpntpMatch4.2.8p6

ntpntpMatch4.2.8p7

ntpntpMatch4.2.8p8

ntpntpMatch4.2.8p9

Node

redhatenterprise_linuxMatch7.0

Node

netappdata_ontapMatch-7-mode

netapphci_management_nodeMatch-

netappsolidfireMatch-

netappvasa_provider_for_clustered_data_ontapRange7.2≥

netappvasa_provider_for_clustered_data_ontapRange7.2≥vsphere

netappvirtual_storage_consoleRange7.2≥vsphere

netappclustered_data_ontapMatch-

Node

netapphci_storage_nodeMatch-

AND

netapphci_storage_node_firmwareMatch-

Node

netappfabric-attached_storage_8300Match-

AND

netappfabric-attached_storage_8300_firmwareMatch-

Node

netappfabric-attached_storage_8700Match-

AND

netappfabric-attached_storage_8700_firmwareMatch-

Node

netappfabric-attached_storage_a400Match-

AND

netappfabric-attached_storage_a400_firmwareMatch-

Node

netappall_flash_fabric-attached_storage_8300Match-

AND

netappall_flash_fabric-attached_storage_8300_firmwareMatch-

Node

netappall_flash_fabric-attached_storage_8700Match-

AND

netappall_flash_fabric-attached_storage_8700_firmwareMatch-

Node

netappall_flash_fabric-attached_storage_a400Match-

AND

netappall_flash_fabric-attached_storage_a400_firmwareMatch-

Node

debiandebian_linuxMatch8.0

Node

opensuseleapMatch15.1

opensuseleapMatch15.2

CPENameOperatorVersion
ntp:ntpntple4.2.7
ntp:ntpntplt4.3.100
ntp:ntpntpeq4.2.8

CPE	Name	Operator	Version
ntp:ntp	ntp	le	4.2.7
ntp:ntp	ntp	lt	4.3.100
ntp:ntp	ntp	eq	4.2.8

References

lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html

lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html

support.ntp.org/bin/view/Main/NtpBug3592

bugzilla.redhat.com/show_bug.cgi?id=1716665

lists.debian.org/debian-lts-announce/2020/05/msg00004.html

security.gentoo.org/glsa/202007-12

security.netapp.com/advisory/ntap-20200424-0002/

www.oracle.com//security-alerts/cpujul2021.html

Social References

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.3 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.3%

JSON

Related for CVE-2020-11868

nessus30 redhatcve1 openvas17 ibm13 nvd1 prion1 cloudlinux2 osv1 ubuntucve1 debiancve1 veracode1 mageia1 f51 debian1 cvelist1 oraclelinux1 fedora1 centos1 amazon1 redhat1 aix1 gentoo1 suse2 photon6 ics1 oracle1