CVE-2020-11868

CWE-346 CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

7.5HIGH

EPSS

1.3%

top 20.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP NTP Debian Debian Linux Netapp Vasa Provider FOR Clustered Data Ontap +3 more

Timeline

PublishedApr 17

Latest updateMay 24

Description

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDntp/ntp4.3.98 — 4.3.100+2

▶Debianntp< 1:4.2.8p14+dfsg-1

▶NVDopensuse/leap15.1, 15.2+1

▶NVDnetapp/vasa_provider

▶NVDnetapp/virtual_storage_console

Also affects: Debian Linux 8.0, Enterprise Linux 7.0

Patches

Patch: support.ntp.org ↗Patch: www.oracle.com ↗Patch: support.ntp.org ↗

🔴Vulnerability Details

GHSA

GHSA-57qq-hwp2-xmcj: ntpd in ntp before 4↗2022-05-24

▶

CVEList

CVE-2020-11868: ntpd in ntp before 4↗2020-04-17

▶

OSV

CVE-2020-11868: ntpd in ntp before 4↗2020-04-17

▶

📋Vendor Advisories

Red Hat

ntp: DoS on client ntpd using server mode packet↗2020-03-03

▶

Debian

CVE-2020-11868: ntp - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker...↗2020

▶

💬Community

Bugzilla

CVE-2020-11868 ntp: DoS on client ntpd using server mode packet [fedora-all]↗2020-04-16

▶

Bugzilla

CVE-2020-11868 ntp: DoS on client ntpd using server mode packet↗2019-06-03

▶