CVE-2018-7170 — HPE Hpux-ntp vulnerability

9 documents8 sources

Severity

5.3MEDIUMNVD

CNA6.5OSV6.5

EPSS

0.5%

top 32.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP HPE Hpux-ntp Synology Diskstation Manager +4 more

Timeline

PublishedMar 6

Latest updateMay 13

Description

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages8 packages

▶NVDntp/ntp4.2.0 — 4.2.8+2

▶NVDhpe/hpux-ntp< c.4.2.8.4.0

▶NVDsynology/skynas< 6.1.5-15254

▶NVDsynology/router_manager1.1 — 1.1.6-6931-3

▶NVDsynology/vs960hd_firmware< 2.2.3-1505

🔴Vulnerability Details

GHSA

GHSA-v9cv-3r4j-cx4j: ntpd in ntp 4↗2022-05-13

▶

CVEList

CVE-2018-7170: ntpd in ntp 4↗2018-03-06

▶

OSV

CVE-2018-7170: ntpd in ntp 4↗2018-03-06

▶

📋Vendor Advisories

BSD

FreeBSD-SA-18:02.ntp: Multiple vulnerabilities of ntp↗2018-03-07

▶

Red Hat

ntp: Ephemeral association time spoofing additional protection↗2018-02-27

▶

Debian

CVE-2018-7170: ntp - ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated us...↗2018

▶

💬Community

Bugzilla

CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 ntp: various flaws [fedora-all]↗2018-02-28

▶

Bugzilla

CVE-2018-7170 ntp: Ephemeral association time spoofing additional protection↗2018-02-28

▶