CVE-2017-6463 — Improper Input Validation in NTP

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference12 documents9 sources

Severity

6.5MEDIUMNVD

OSV5.9

EPSS

3.1%

top 13.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian NTP Apple Macos High Sierra

Timeline

PublishedMar 27

Latest updateMay 14

Description

NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/ntp< ntp 1:4.2.8p10+dfsg-1 (bullseye)

▶Debianntp/ntp< 1:4.2.8p10+dfsg-1

▶Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11+1

▶NVDntp/ntp95 versions+94

▶Appleapple/macos_high_sierra10.13

🔴Vulnerability Details

GHSA

GHSA-gmrg-j497-5g5q: NTP before 4↗2022-05-14

▶

OSV

ntp vulnerabilities↗2017-07-05

▶

OSV

CVE-2017-6463: NTP before 4↗2017-03-27

▶

📋Vendor Advisories

Ubuntu

NTP vulnerabilities↗2019-01-23

▶

Apple

CVE-2017-6463: macOS High Sierra 10.13↗2017-09-25

▶

Ubuntu

NTP vulnerabilities↗2017-07-05

▶

BSD

FreeBSD-SA-17:03.ntp: Multiple vulnerabilities of ntp↗2017-04-12

▶

Red Hat

ntp: Authenticated DoS via Malicious Config Option↗2017-03-21

▶

💬Community

Bugzilla

CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 ntp: various flaws [fedora-all]↗2017-03-23

▶

Bugzilla

CVE-2017-6463 ntp: Authenticated DoS via Malicious Config Option↗2017-03-20

▶