[ntp:security] [scr465532] four CVEs

cve-request at mitre.org cve-request at mitre.org
Fri Feb 16 15:17:58 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The four additional CVE IDs are below. We had previously sent
CVE-2018-7170 to Harlan Stenn for a fifth issue and he asked how to
edit it. It is not necessary to edit it at this time. We will obtain
the details from http://support.ntp.org/bin/view/Main/SecurityNotice
after the vulnerability becomes public.


> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NTP - ntp-4.2.8p6 - ntp-4.2.8p10
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3412
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Yihan Lian of Qihoo 360

Use CVE-2018-7182.


> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> ntpq - ntp-4.2.8p6 - ntp-4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpq's decodarr() function
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3414
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Michael Macnair of Thales e-Security

Use CVE-2018-7183.


> [VulnerabilityType Other]
> Disruption of symmetric interleaved mode
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NTP - ntp-4.2.8p4 - 4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpd
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3453
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Miroslav Lichvar of Red Hat

Use CVE-2018-7184.


> [VulnerabilityType Other]
> Disruption of symmetric peer association
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> ntpd - ntp-4.2.8p4 - 4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpd
> 
> ------------------------------------------
> 
> [Attack Type Other]
> Protocol disruption
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3454
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Miroslav Lichvar of Red Hat

Use CVE-2018-7185.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJahvXYAAoJEHb/MwWLVhi2L48P/jjeuHK4H/ujbLK6B/qtoGuS
KGe5I/he7mitVvy2/kL0mM8JdaXsJIU1GoBdG33WgzuX2UUneYieadtWPkZEO7O9
VNHfLd16Nw3QBQYawKPf4v/0qnKlgm+mrQg7gyfMxu5wBJMinARzPqdi+kL8OgQQ
NUtd9Ro4jA6sa6E7AX421cj/BlfSVXytZWH8dNEJfQekz2K4CWtsjBogihepSFKt
ZIkodC9QmgFYf0txAgacaciU0QQg9MQVf+DW8sFpfdIiHrCwAigat/VQxbHNF7td
7CxZSHoObSmG9FsdIHojuo41MspLVh7Fk9iB6FveelVxFZd6m6LC7bWK7uGtiYv1
eEBGBV9duMKMFyDsqhbIbxZ7F/n44SPY+v0xgoLVBbkx6B/MTviJGMqchI8TZ4B3
HWJhgewKDnwOR5VTHKHSzUaioyDbiwj3Ri53xZZFU8yUsfGQ/EShDhiGi6m74cfo
n/EOP9cYUVM0WBL2/9EltcxyI1zxT3n2dwxuGgWscGw+6SF7Xg8g6GABmlbrfxxo
nWyEKDtTYz1c4obqlmTuF8yvOJbOYRaEGfj628gz+b7xsnxzbo057i9nCi3n9w7o
LtPrWCA88XZEaks8L1SzUkbLmPb+2vk6lTTmH1JuqbKqLAtyxwxVxuLhPrinnAyT
QPPdb/n6QqDfz2M8YvV2
=tHsW
-----END PGP SIGNATURE-----


More information about the security mailing list