cbcvebase.
CVE-2019-6444
published 2019-01-16

CVE-2019-6444: An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is…

PriorityP269critical9.1CVSS 3.0
AVNACLPRNUINSUCHINAH
EXPLOIT
EPSS
45.72%
98.6th percentile
An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianntpsec< ntpsec 1.1.3+dfsg1-1 (bookworm)ntpsec 1.1.3+dfsg1-1 (bookworm)
googlechrome_chrome
ntpsecntpsec< 1.1.31.1.3
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1
ntpsecntpsec>= 0 < 1.1.3+dfsg1-11.1.3+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

port123/UDP
urlftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
bytes
\x8e\x0a\x6b\xc3\x80\x00\x00\x00\x00\x00\x02\x48\x47\x50\x53\x73
  • The exploit sends a crafted UDP packet to port 123 targeting the NTP control message handler (process_control() in ntp_control.c). Monitor for malformed NTP control packets (mode 6) with oversized or malformed data fields triggering out-of-bounds reads in ntpd.
  • The PoC packet begins with byte 0x8e as the first byte (NTP mode 6 / control message with specific flags). Inspect NTP traffic for packets starting with 0x8e followed by the pattern 0x0a 0x6b 0xc3 on UDP/123.
  • Affected versions are NTPsec 1.1.1 and 1.1.2. Detect vulnerable instances by identifying ntpd processes running these versions; fixed in 1.1.3.
  • ·The PoC does not crash the target; the vulnerability is an out-of-bounds read (information disclosure / stack memory leak), not a crash or RCE. Detection based solely on service crashes will miss exploitation attempts.

CVSS provenance

nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:P
osv9.1CRITICAL
vendor_debian9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.