[ntp:security] [scr465532] four CVEs

cve-request at mitre.org cve-request at mitre.org
Wed Feb 21 00:12:19 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

(This message was previously sent to security at ntp.org at 1517 UTC
on 2018-02-16.)

The four additional CVE IDs are below. We had previously sent
CVE-2018-7170 to Harlan Stenn for a fifth issue and he asked how to
edit it. It is not necessary to edit it at this time. We will obtain
the details from http://support.ntp.org/bin/view/Main/SecurityNotice
after the vulnerability becomes public.


> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NTP - ntp-4.2.8p6 - ntp-4.2.8p10
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3412
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Yihan Lian of Qihoo 360

Use CVE-2018-7182.


> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> ntpq - ntp-4.2.8p6 - ntp-4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpq's decodarr() function
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3414
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Michael Macnair of Thales e-Security

Use CVE-2018-7183.


> [VulnerabilityType Other]
> Disruption of symmetric interleaved mode
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NTP - ntp-4.2.8p4 - 4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpd
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3453
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Miroslav Lichvar of Red Hat

Use CVE-2018-7184.


> [VulnerabilityType Other]
> Disruption of symmetric peer association
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Network Time Foundation
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> ntpd - ntp-4.2.8p4 - 4.2.8p10.  Fixed in ntp-4.2.8p11
> 
> ------------------------------------------
> 
> [Affected Component]
> ntpd
> 
> ------------------------------------------
> 
> [Attack Type Other]
> Protocol disruption
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Reference]
> http://bugs.ntp.org/3454
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Miroslav Lichvar of Red Hat

Use CVE-2018-7185.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJajLkQAAoJEHb/MwWLVhi2hwIP/jhPsuDrFofzkcf1O9ZyCAe1
WAf69NdrpYeXuVoqECz5/8At+MXt8otPvDDpy8oBEvumpzsuQJvrDrQoluZp/7Xl
hApzgpeQAlUDV1FkcYlBRLc5T0GSMqx7dS2J0bLuwhkq2sDtQ8Cdrhp+dqVfvxCB
9iNaQB6uoUMND9NmrDDfca1u++dn7Wq0Yk8n4XlaVXzkpqqNZHXLFSf527O/eDx6
o+rN2ZOr/HU3qoOtnhxW38Q0u3O4OVHZm2+NILwEQiaUBplmMyGrdbyHuaj/WwXB
plF3b/briGn0l/jseHEwWL1AcfMFi8Gee47UiSbqmnmgF60/0YSzfLaQD/PmvVpd
rdNqyqvqCW43qTNCuypCj8h5ba74XU6EPX5M8vU46RrR/Fod6873nM1N8g8pGpWz
AjrN3ZVXbc5Zx9/XCpTz2Yh1/0r6PvgM3zJElH0TBjEZbtZ7whR5tyil7rnN3jTF
5NuLGiLVQxdNug1FzB8tK6ILljNueNitvKc6eRPXz6hXJ7kOs/T0+VJfZRZXMyRa
canU+GBlY7Ao5KRP8J1JWpNaOiqkOnLAYqo2kSslp/llFj2mvmr0b7lDVX3rKr5/
VD+c8/rRvD0ZHccM1sRuOJSy5F6o76ycbBdyHk0w+SR1LbB4AKMSlXRhpXQEd793
YiRtIdDgZEC1B/t4V/fj
=TY9a
-----END PGP SIGNATURE-----


More information about the security mailing list