CVE-2020-13817 — Use of Insufficiently Random Values in M10-1 Firmware

CWE-330 — Use of Insufficiently Random Values CWE-20 — Improper Input Validation CWE-358 — Improperly Implemented Security Check for Standard9 documents8 sources

Severity

7.4HIGHNVD

EPSS

0.3%

top 42.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Fujitsu M10-1 Firmware Fujitsu M10-4 Firmware +5 more

Timeline

PublishedJun 4

Latest updateMay 24

Description

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages9 packages

▶NVDntp/ntp4.3.0 — 4.3.100+2

▶NVDfujitsu/m10-1_firmware< xcp2410

▶NVDfujitsu/m10-4_firmware< xcp2410+1

▶NVDfujitsu/m12-1_firmware< xcp2410+1

▶NVDfujitsu/m12-2_firmware< xcp2410+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-fx6x-7xgx-2wwp: ntpd in ntp before 4↗2022-05-24

▶

OSV

CVE-2020-13817: ntpd in ntp before 4↗2020-06-04

▶

CVEList

CVE-2020-13817: ntpd in ntp before 4↗2020-06-04

▶

📋Vendor Advisories

Oracle

Oracle Oracle Systems Risk Matrix: XCP Firmware (NTP) — CVE-2020-13817↗2022-01-15

▶

Red Hat

ntp: ntpd using highly predictable transmit timestamps could result in time change or DoS↗2020-03-03

▶

Debian

CVE-2020-13817: ntp - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to ...↗2020

▶

💬Community

Bugzilla

CVE-2020-13817 ntp: ntpd using highly predictable transmit timestamps could result in time change or DoS↗2020-03-09

▶

Bugzilla

CVE-2020-13817 ntp: ntpd using highly predictable transmit timestamps could result in timechange or DoS [fedora-all]↗2020-03-09

▶