cbcvebase.
CVE-2018-12327
published 2018-06-20

CVE-2018-12327: Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.04%
97.9th percentile
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianntp
ntpntp

Detection & IOCsextracted from sources · hover to see the quote

command./ntpdc -4 [`python -c 'print "A" * 300'`]
processntpq
processntpdc
  • The overflow is triggered in the `openhost` function when a long string (≥300 bytes) is passed as an IPv4 (-4) or IPv6 (-6) command-line argument to ntpq or ntpdc. Monitor process execution of ntpq/ntpdc with abnormally long argument strings.
  • Crash/exploitation manifests in `openhost` at ntpq.c:655 or ntpdc.c:413. Stack traces showing `openhost` with oversized hostname arguments are a strong indicator of exploitation attempts.
  • Applications invoking ntpq or ntpdc with untrusted/external input as hostname arguments are the primary attack surface. Audit pipelines or scripts that pass user-controlled strings to these utilities.
  • ·Exploitation requires the attacker to control the command-line arguments passed to ntpq or ntpdc; direct network exploitation is not possible. The practical risk depends on whether these utilities are invoked with untrusted input.
  • ·Red Hat rates this as Low severity and does not plan to fix it in RHEL 5 (Extended Life Phase). RHEL 7 may receive a future update but it is not guaranteed.
  • ·The Debian tracker lists this as still open in bullseye, meaning patched packages may not be available across all distributions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.