[ntp:security] Fwd: Questions about CVE-2019-11331

Harlan Stenn stenn at nwtime.org
Mon Apr 29 20:41:56 UTC 2019



On 4/29/2019 11:31 AM, stevos at nwtime.org wrote:
> Harlan and Matt,
> 
> Should we reach out to Art Manion?  

Art is at CERT.  This report came thru Mitre.   Daniel Andolfi is the
most recent contact we have at Mitre.

There are at least 2 issues here:

- The CVE was filed and we were never notified
- The content of the CVE was apparently not vetted, and appears
  to contain a number of ... bogus claims.

> On another note, do we have the CVE#s listed in Bugzilla with the associated bugs that do get reported?  Seems like more folks use the CVE# to call out bugs than they do the numbers we assign to them in Bugzilla.

With enough money to upgrade support.ntp.org and our bugzilla, we can
more easily link our bug IDs to CVEs.  We use support.ntp.org and our
bugzilla because we *use* our bugzilla.  We don't do our work from the
CVE website.

H
--
> 
> Steve
> 
> -----Original Message-----
> From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On Behalf Of Harlan Stenn
> Sent: Monday, April 29, 2019 3:53 AM
> To: Matt Ploessel <matt.ploessel at gmail.com>; security at ntp.org
> Subject: [ntp:security] Fwd: Questions about CVE-2019-11331
> 
> Matt,
> 
> It looks like somebody opened up this CVE and never notified us.
> 
> It also looks like this report is bogus, but I just heard about it in the last few minutes and I'd like to check it out before I say more.
> 
> I've already heard from one big customer asking about it, as they gave it a CVSS3 score of 9.8, which seems insane and irresponsible.
> 
> Not the sort of thing I want to see at 0345 when I'm about to fall asleep.
> 
> H
> 
> PS - I'm not sending this encrypted because our PGP key has expired and Brad hasn't had time to refresh that yet.  I've asked him if he can get that done sometime "today".
> 
> -------- Forwarded Message --------
> Return-Path: <stenn at nwtime.org>
> X-Original-To: stenn at nwtime.org
> Delivered-To: stenn at nwtime.org
> Received: from [10.208.75.157] (75-139-194-196.dhcp.knwc.wa.charter.com
> [75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00 +0000 (UTC)
> Subject: Re: Questions about CVE-2019-11331
> From: Harlan Stenn <stenn at nwtime.org>
> To: Marius Rohde <marius.rohde at meinberg.de>
> Cc: Steve Sullivan <stevos at nwtime.org>
> References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de>
> <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
> Openpgp: preference=signencrypt
> Autocrypt: addr=stenn at nwtime.org; prefer-encrypt=mutual; keydata=
> mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
> ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
> OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
> ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
> MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
> aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
> L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
> L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
> bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
> FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
> gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
> 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
> 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
> NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
> /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
> qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
> eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
> I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
> WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
> OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
> Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
> wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
> 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
> vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
> XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
> CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
> Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
> cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
> RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
> 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
> h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
> 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
> yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
> f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
> T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
> zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
> r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
> /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
> tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
> qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
> Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>
> Date: Mon, 29 Apr 2019 03:43:58 -0700
> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
> Thunderbird/60.6.1
> MIME-Version: 1.0
> In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: 8bit
> 
> Hi Marius,
> 
> Nobody told us about this one.
> 
> I'm not certain yet, but this seems completely bogus to me.
> 
> I'll loop in some wizards and see what I can find.
> 
> H
> 
> On 4/29/2019 3:35 AM, Harlan Stenn wrote:
>> Hi Marius,
>>
>> On 4/29/2019 1:37 AM, Marius Rohde wrote:
>>> Hi Harlan,
>>>
>>> we have seen that the problem with the standard port usage is rated 
>>> critical in the CVE database.
>>> Do you have more background information? Exists a known exploit, that 
>>> is able to do a ntp path-off attack?
>>
>> Which bug corresponds to this CVE report?  I'm not seeing it in any of 
>> our content.
>>
>> H
>> --
>>> Thank you in advance.
>>>
>>> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>>>
>>> *MEINBERG Funkuhren GmbH & Co. KG*
>>> Lange Wand 9
>>> D-31812 Bad Pyrmont, Germany
>>> Phone: +49 (0)5281 9309-485
>>> Fax: +49 (0)5281 9309-230
>>> Amtsgericht Hannover 17HRA 100322
>>> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann, 
>>> Heiko Gerstung
>>> Email: marius.rohde at meinberg.de <http://marius.rohde@meinberg.de>
>>> Internet: www.meinberg.de <https://www.meinberg.de> / 
>>> www.meinbergglobal.com <https://www.meinbergglobal.com> / 
>>> www.meinberg.academy <https://www.meinberg.academy>
>>>
>>> ---------------------------------------------------------------------
>>> --- *MEINBERG - Solutions for Time and Frequency Synchronization*
>>>
>>
> 
> --
> Harlan Stenn, Network Time Foundation
> http://nwtime.org - be a Member!
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
> 

-- 
Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!


More information about the security mailing list