CVE-2019-6444
published 2019-01-16CVE-2019-6444: An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is…
PriorityP269critical9.1CVSS 3.0
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
45.72%
98.6th percentile
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ntpsec | < ntpsec 1.1.3+dfsg1-1 (bookworm) | ntpsec 1.1.3+dfsg1-1 (bookworm) |
| chrome_chrome | — | — | |
| ntpsec | ntpsec | < 1.1.3 | 1.1.3 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
| ntpsec | ntpsec | >= 0 < 1.1.3+dfsg1-1 | 1.1.3+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x8e\x0a\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73
- →The exploit sends a crafted UDP packet to port 123 targeting the NTP control message handler (process_control() in ntp_control.c). Monitor for malformed NTP control packets (mode 6) with oversized or malformed data fields triggering out-of-bounds reads in ntpd. ↗
- →The PoC packet begins with byte 0x8e as the first byte (NTP mode 6 / control message with specific flags). Inspect NTP traffic for packets starting with 0x8e followed by the pattern 0x0a 0x6b 0xc3 on UDP/123. ↗
- →Affected versions are NTPsec 1.1.1 and 1.1.2. Detect vulnerable instances by identifying ntpd processes running these versions; fixed in 1.1.3. ↗
- ·The PoC does not crash the target; the vulnerability is an out-of-bounds read (information disclosure / stack memory leak), not a crash or RCE. Detection based solely on service crashes will miss exploitation attempts. ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggw9-jvx5-hggr: An issue was discovered in NTPsec before 1
ghsa_unreviewed·2022-05-14
CVE-2019-6444 [CRITICAL] CWE-125 GHSA-ggw9-jvx5-hggr: An issue was discovered in NTPsec before 1
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
OSV
CVE-2019-6444: An issue was discovered in NTPsec before 1
osv·2019-01-16·CVSS 9.1
CVE-2019-6444 [CRITICAL] CVE-2019-6444: An issue was discovered in NTPsec before 1
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
Chrome
Stable Channel Update for Desktop: CVE-2020-6443
vendor_chrome·2020-04-07·CVSS 8.8
CVE-2020-6443 [LOW] Stable Channel Update for Desktop: CVE-2020-6443
Stable Channel Update for Desktop
CVE-2020-6443: Insufficient data validation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-01-08
[$N/A][ 922882 ] Low CVE-2020-6444: Uninitialized Use in WebRTC
Reported by mlfbrown on 2019-01-17
Severity: low
Debian
CVE-2019-6444: ntpsec - An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control...
vendor_debian·2019·CVSS 9.1
CVE-2019-6444 [CRITICAL] CVE-2019-6444: ntpsec - An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control...
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.
Scope: local
bookworm: resolved (fixed in 1.1.3+dfsg1-1)
bullseye: resolved (fixed in 1.1.3+dfsg1-1)
forky: resolved (fixed in 1.1.3+dfsg1-1)
sid: resolved (fixed in 1.1.3+dfsg1-1)
trixie: resolved (fixed in 1.1.3+dfsg1-1)
No detection rules found.
No writeups or analysis indexed.
https://dumpco.re/blog/ntpsec-bugshttps://dumpco.re/bugs/ntpsec-oobread2https://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWShttps://www.exploit-db.com/exploits/46176/https://dumpco.re/blog/ntpsec-bugshttps://dumpco.re/bugs/ntpsec-oobread2https://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWShttps://www.exploit-db.com/exploits/46176/
2019-01-16
Published