cbcvebase.
CVE-2019-6443
published 2019-01-16

CVE-2019-6443: An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in…

PriorityP180critical9.1CVSS 3.0
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
66.88%
99.2th percentile
An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianntpsec< ntpsec 1.1.3+dfsg1-1 (bookworm)ntpsec 1.1.3+dfsg1-1 (bookworm)
googlechrome_chrome
ntpsecntpsec< 1.1.31.1.3
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

port123/udp
bytes
4e0203ec0000000000000002c774633d1000af2c2c2c2cfa0000fa0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b060b0bce0b140b0b0b0b0b0b0b0b0b0b0b0b0b0b0b210b0b0b0b0b0b0b0b0b0b0b0b0b0b0b060b0bce0b0b0b0b0b0b0b0b0b0be4e4e50b0b0b0b200b0b0b0b0b0b0b3d633dac0b0b0b0b2d270b0b0b0b0b0b0b0b0b0b0b0b0b800b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0bff0b
bytes
160203e80000000000000000
  • Send crafted NTP control request (mode 6) UDP payload to port 123 and check response for 'ntpsec' banner string to identify vulnerable NTPsec instances; version string below 1.1.3 confirms vulnerability.
  • Extract NTPsec version from ntpd response banner using regex pattern 'ntpd ntpsec-([0-9.]+)' and flag versions less than 1.1.3.
  • Shodan query 'ntpsec' can be used to identify internet-exposed NTPsec instances for passive detection.
  • The exploit sends an oversized crafted NTP control (mode 6) UDP datagram to trigger the stack-based buffer over-read in ctl_getitem/read_sysvars; monitor for anomalously large or malformed NTP control packets on UDP/123.
  • Affected versions are ntpsec 1.1.1 and 1.1.2; any response identifying these versions should be treated as vulnerable.
  • ·The PoC explicitly notes it does not crash the target, meaning exploitation is stealthy and may not produce obvious crash/error indicators in logs.
  • ·The vulnerability is in the NTP control protocol (mode 6), which may be accessible remotely; ensure NTP control queries are restricted by ACL in ntpd configuration.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vulncheck9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.