[ntp:security] Security Vulnerability in ntpd v4.2.8p10 and v4.2.8p11

Nikhil Tripathi phd1401101002 at iiti.ac.in
Sun Mar 25 11:25:25 UTC 2018


Dear NTP project team,

 CVE mitre has assigned CVE-2018-8956 to this reported vulnerability.


On Fri, 23 Mar 2018, 4:47 pm Nikhil Tripathi, <phd1401101002 at iiti.ac.in>
wrote:

> Dear NTP project team,
>
> We found a vulnerability in the two most recent versions of ntpd -
> v4.2.8p10 and v4.2.8p11 which can be exploited to prevent a broadcast
> client from synchronizing itself with a broadcast server. In particular, by
> exploiting this vulnerability, an adversary prevents a broadcast client
> from calculating path propagation delay due to which client is not able to
> synchronize its clock with the broadcast server.
>
> We have also requested for a CVE ID allocation to this vulnerability.
>
> Attached is a document in which we describe the procedure to exploit this
> vulnerability.
>
> I hope this will help to make the implementation more robust and secure.
>
> Thanks..
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20180325/16a0f194/attachment.html>


More information about the security mailing list