Debian Ntpsec vulnerabilities

CVE-2023-4012 [HIGH] CVE-2023-4012: ntpsec - ntpd will crash if the server is not NTS-enabled (no certificate) and it receive... ntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3). Scope: local bookworm: resolved (fixed in 1.2.2+dfsg1-1+deb12u1) bullseye: resolved forky: resolved (fixed in 1.2.2+dfsg1-2) sid: resolved (fixed in 1.2.2+dfsg1-2) trixie: resolved (fixed in 1.2.2+dfsg1-2)

CVE-2021-22212 [MEDIUM] CVE-2021-22212: ntpsec - ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkey... ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expe

CVE-2020-11868 [HIGH] CVE-2020-11868: ntp - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker... ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. Scope: local bullseye: resolved (fixed in 1:4.2.8p14+dfsg-1)

CVE-2020-15025 [MEDIUM] CVE-2020-15025: ntp - ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attacke... ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file. Scope: local bullseye: resolved (fixed in 1:4.2.8p15-1)

CVE-2020-13817 [HIGH] CVE-2020-13817: ntp - ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to ... ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance. Scope: local bul

CVE-2019-6443 [CRITICAL] CVE-2019-6443: ntpsec - An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem,... An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd. Scope: local bookworm: resolved (fixed in 1.1.3+dfsg1-1) bullseye: resolved (fixed in 1.1.3+dfsg1-1) forky: resolved (fixed in 1.1.3+dfsg1-1) sid: resolved (fixed in 1.1.3+dfsg1-1) trixie: resolved (fixed

CVE-2019-6444 [CRITICAL] CVE-2019-6444: ntpsec - An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control... An issue was discovered in NTPsec before 1.1.3. process_control() in ntp_control.c has a stack-based buffer over-read because attacker-controlled data is dereferenced by ntohl() in ntpd. Scope: local bookworm: resolved (fixed in 1.1.3+dfsg1-1) bullseye: resolved (fixed in 1.1.3+dfsg1-1) forky: resolved (fixed in 1.1.3+dfsg1-1) sid: resolved (fixed in 1.1.3+dfsg1-1)

CVE-2019-6445 [MEDIUM] CVE-2019-6445: ntpsec - An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can ca... An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. Scope: local bookworm: resolved (fixed in 1.1.3+dfsg1-1) bullseye: resolved (fixed in 1.1.3+dfsg1-1) forky: resolved (fixed in 1.1.3+dfsg1-1) sid: resolved (fixed in 1.1.3+dfsg1-1) trixie: resolved (fi

CVE-2019-6442 [MEDIUM] CVE-2019-6442: ntpsec - An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can wr... An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y. Scope: local bookworm: resolved (fixed in 1.1.3+dfsg1-1) bullseye: resolved (fixed in 1.1.3+dfsg1-1) forky: resolved (fi

CVE-2018-7182 [HIGH] CVE-2018-7182: ntp - The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote atta... The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. Scope: local bullseye: resolved (fixed in 1:4.2.8p11+dfsg-1)

CVE-2018-7170 [MEDIUM] CVE-2018-7170: ntp - ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated us... ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. Scope: local bullseye: resolved (fixed in 1:

CVE-2018-8956 [MEDIUM] CVE-2018-8956: ntp - ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to ... ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. The attacker must either be a part of the same broadcast network or control a slave in that broadcast network that can capture certain required packets on the attacker's

CVE-2018-7185 [HIGH] CVE-2018-7185: ntp - The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to ca... The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. Scope: local bullseye: resolved (fixed in 1:4.2.8p11+dfsg-1)

CVE-2018-7183 [CRITICAL] CVE-2018-7183: ntp - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p1... Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. Scope: local bullseye: resolved (fixed in 1:4.2.8p11+dfsg-1)

CVE-2018-7184 [HIGH] CVE-2018-7184: ntp - ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "recei... ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-201