CVE-2018-7183
published 2018-03-08CVE-2018-7183: Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query…
PriorityP356critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.78%
95.3th percentile
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | ntp | < ntp 1:4.2.8p11+dfsg-1 (bullseye) | ntp 1:4.2.8p11+dfsg-1 (bullseye) |
| debian | ntpsec | < ntp 1:4.2.8p11+dfsg-1 (bullseye) | ntp 1:4.2.8p11+dfsg-1 (bullseye) |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | >= 0 < 1:4.2.8p11+dfsg-1 | 1:4.2.8p11+dfsg-1 |
| ntp | ntp | >= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 | 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 |
| ntp | ntp | >= 0 < 1:4.2.8p4+dfsg-3ubuntu5.9 | 1:4.2.8p4+dfsg-3ubuntu5.9 |
| ntp | ntp | >= 0 < 1:4.2.8p10+dfsg-5ubuntu7.1 | 1:4.2.8p10+dfsg-5ubuntu7.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target the decodearr() function in ntpq; the vulnerability is triggered when ntpq receives a crafted response containing a malformed array, causing a buffer overflow — monitor for anomalous NTP mode 6 (ntpq) response traffic with oversized or malformed array fields ↗
- →Attack vector requires either a maliciously-altered ntpd returning a crafted array result, or a man-in-the-middle actor forging an ntpq response before the legitimate ntpd reply arrives — inspect NTP response packets on the wire for array payloads that exceed expected buffer bounds ↗
- →Affected process is ntpq (the NTP query/monitoring client), not ntpd — focus endpoint detection on ntpq process crashes or unexpected code execution spawned from ntpq ↗
- ·Vulnerable NTP versions are 4.2.8p6 through 4.2.8p10; upgrade to 4.2.8p11 or later to remediate — Red Hat Enterprise Linux 5, 6, and 7 are listed as Not Affected, while RHEL 8 is 'Will not fix' ↗
- ·Debian bullseye resolved the issue in package version 1:4.2.8p11+dfsg-1; ensure patched package is deployed ↗
- ·The exploit requires the attacker to either control a malicious ntpd or perform a man-in-the-middle attack on ntpq query traffic — network segmentation and authenticated NTP (e.g., NTS or symmetric keys) reduce exposure ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9429-whv8-4h3p: Buffer overflow in the decodearr function in ntpq in ntp 4
ghsa_unreviewed·2022-05-13
CVE-2018-7183 [CRITICAL] CWE-787 GHSA-9429-whv8-4h3p: Buffer overflow in the decodearr function in ntpq in ntp 4
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
OSV
ntp vulnerabilities
osv·2018-07-09·CVSS 7.5
CVE-2018-7182 [HIGH] ntp vulnerabilities
ntp vulnerabilities
Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6
packets. A remote attacker could possibly use this issue to cause ntpd to
crash, resulting in a denial of service. This issue only affected Ubuntu
17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)
Michael Macnair discovered that NTP incorrectly handled certain responses.
A remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-7183)
Miroslav Lichvar discovered that NTP incorrectly handled certain
zero-origin timestamps. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu
18.04 LTS. (CVE-2018-7184)
Miroslav Lichvar discovered that NTP incorrectly handled certain
zero-origin timestamps. A remote at
OSV
CVE-2018-7183: Buffer overflow in the decodearr function in ntpq in ntp 4
osv·2018-03-08·CVSS 9.8
CVE-2018-7183 [CRITICAL] CVE-2018-7183: Buffer overflow in the decodearr function in ntpq in ntp 4
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
Oracle
Oracle Oracle Systems Risk Matrix: XCP Firmware (NTP) — CVE-2018-7183
vendor_oracle·2021-07-15·CVSS 9.8
CVE-2018-7183 [CRITICAL] Oracle Oracle Systems Risk Matrix: XCP Firmware (NTP) — CVE-2018-7183
Oracle Oracle Systems Risk Matrix: XCP Firmware (NTP) vulnerability
CVE: CVE-2018-7183
CVSS: 9.8
Protocol: NTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2019-01-23·CVSS 7.5
CVE-2016-7426 [HIGH] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. (CVE-2016-7427, CVE-2016-7428)
Matthew Van Gundy discovered that NTP incorrectly handled certain control
mode packets. A remote attacker could use this issue to set or
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2018-07-09·CVSS 7.5
CVE-2018-7182 [HIGH] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6
packets. A remote attacker could possibly use this issue to cause ntpd to
crash, resulting in a denial of service. This issue only affected Ubuntu
17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)
Michael Macnair discovered that NTP incorrectly handled certain responses.
A remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-7183)
Miroslav Lichvar discovered that NTP incorrectly handled certain
zero-origin timestamps. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu
18.04 LTS. (CVE-2018-7184)
Miroslav Lichvar discovered that NTP inc
BSD
FreeBSD-SA-18:02.ntp: Multiple vulnerabilities of ntp
bsd_advisories·2018-03-07·CVSS 5.3
CVE-2017-7183 [MEDIUM] FreeBSD-SA-18:02.ntp: Multiple vulnerabilities of ntp
FreeBSD-SA-18:02.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2018-03-07
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2018-02-28 09:01:03 UTC (stable/11, 11.1-STABLE)
2018-03-07 05:58:24 UTC (releng/11.1, 11.1-RELEASE-p7)
2018-03-01 04:06:49 UTC (stable/10, 10.4-STABLE)
2018-03-07 05:58:24 UTC (releng/10.4, 10.4-RELEASE-p6)
2018-03-07 05:58:24 UTC (releng/10.3, 10.3-RELEASE-p27)
CVE Name: CVE-2018-7182, CVE-2018-7170, CVE-2018-7184, CVE-2018-7185,
CVE-2018-7183
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The ntpd(8) daemon is an i
Red Hat
ntp: decodearr() can write beyond its buffer limit
vendor_redhat·2018-02-27·CVSS 9.8
CVE-2018-7183 [CRITICAL] CWE-119 ntp: decodearr() can write beyond its buffer limit
ntp: decodearr() can write beyond its buffer limit
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
Package: ntp (Red Hat Enterprise Linux 5) - Not affected
Package: ntp (Red Hat Enterprise Linux 6) - Not affected
Package: ntp (Red Hat Enterprise Linux 7) - Not affected
Package: ntp (Red Hat Enterprise Linux 8) - Will not fix
Debian
CVE-2018-7183: ntp - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p1...
vendor_debian·2018·CVSS 9.8
CVE-2018-7183 [CRITICAL] CVE-2018-7183: ntp - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p1...
Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
Scope: local
bullseye: resolved (fixed in 1:4.2.8p11+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 ntp: various flaws [fedora-all]
bugzilla·2018-02-28·CVSS 5.3
CVE-2018-7170 [MEDIUM] CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 ntp: various flaws [fedora-all]
CVE-2018-7170 CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185 ntp: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
Bugzilla
CVE-2018-7183 ntp: decodearr() can write beyond its buffer limit
bugzilla·2018-02-28·CVSS 9.8
CVE-2018-7183 [CRITICAL] CVE-2018-7183 ntp: decodearr() can write beyond its buffer limit
CVE-2018-7183 ntp: decodearr() can write beyond its buffer limit
ntpq is a monitoring and control program for ntpd. decodearr() is an internal function of ntpq that is used to -- wait for it -- decode an array in a response string when formatted data is being displayed. This is a problem in affected versions of ntpq if a maliciously-altered ntpd returns an array result that will trip this bug, or if a bad actor is able to read an ntpq request on its way to a remote ntpd server and forge and send a response before the remote ntpd sends its response. It's potentially possible that the malicious data could become injectable/executable code.
References:
http://support.ntp.org/bin/view/Main/NtpBug3414
Discussion:
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1550228]
http://support.ntp.org/bin/view/Main/NtpBug3414http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_Shttp://www.securityfocus.com/bid/103351https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.aschttps://security.gentoo.org/glsa/201805-12https://security.netapp.com/advisory/ntap-20180626-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_ushttps://usn.ubuntu.com/3707-1/https://usn.ubuntu.com/3707-2/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.synology.com/support/security/Synology_SA_18_13http://support.ntp.org/bin/view/Main/NtpBug3414http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_Shttp://www.securityfocus.com/bid/103351https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.aschttps://security.gentoo.org/glsa/201805-12https://security.netapp.com/advisory/ntap-20180626-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_ushttps://usn.ubuntu.com/3707-1/https://usn.ubuntu.com/3707-2/https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.synology.com/support/security/Synology_SA_18_13
2018-03-08
Published