[ntp:security] Fwd: Questions about CVE-2019-11331

stevos at nwtime.org stevos at nwtime.org
Mon Apr 29 21:09:28 UTC 2019


This could come in handy for this new issue:
https://nvd.nist.gov/general/faq#eeabbb01-eb9f-488d-ac31-40a8b92c1473

a couple of items from that page:

What happens after a vulnerability is identified?
CVE identifiers are assigned by CVE and other CVE Numbering Authorities (CNAs). The NVD receives data feeds from the CVE website and in turn performs analysis to determine impact metrics (CVSS), vulnerability types (CWE), and applicability statements (CPE), as well as other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors and third party security researchers to provide information that is then used assign these attributes. We then perform additional research to confirm that CPEs comply with CPE specifications and include them in the official CPE dictionary. As additional information becomes available CVSS scores and configurations are subject to change.

***A vulnerability has been identified, and possibly a CVE has been assigned, why is it not in your database?
Although a CVE ID may have been assigned by either CVE or a CAN, it will not be available in the NVD if it has a status of RESERVED by CVE. Please check the CVE dictionary first, and if you have further questions about a specific CVE and when it will be available, please contact cve at mitre.org directly.

***I have found an error within an NVD Vulnerability Summary, what should I do?
Go to https://cveform.mitre.org/ to request updates to the vulnerability descriptions, with an explanation of the error and any relevant details (e.g. sources of information that demonstrate the error). If it is determined that a CVE vulnerability summary should be revised, they will update their data feed, which will generally be updated in the NVD within 24 hours of an update to the CVE data feed. When you hear that the vulnerability description will be updated please email the NVD to ensure any required changes occur.

One of the links provided with the CVE points to an incorrect hyperlink, what should I do?
If you discover that a hyperlink does not reference the correct CVE please email cve at mitre.org with the incorrect link and any other applicable information.

***I am a software vendor and want to dispute that a vulnerability exists. What should I do?
The NVD is based upon the CVE standard vulnerability dictionary. To dispute a vulnerability, contact the CVE Editorial Board (and carbon copy the NVD) Any action taken will be published in the CVE dictionary data feeds, and reflected on the NVD Vulnerability summary page within 24 hours.


***I would like to dispute the score of a vulnerability. What should I do?
If you believe a score should be changed based on publicly available information that may not have been available at the time of the scoring please email including the CVE ID and a description of the issue with supporting public information and the NVD analysts will review the score and respond appropriately.


The vulnerability has been remediated; can you remove the CVE from the NVD?
The NVD does not remove vulnerabilities from the database. If you wish to dispute a CVE, please contact the CVE Editorial Board who controls the assignment, description, and deprecation of CVEs. If it is determined that a CVE should not have been assigned, they will update their data feed, which will then be updated in the NVD feeds within 24 hours.

***** Does NTF do this now? *****
*****What is the NVD Vendor Official Statement Service?
If you would like to provide an official vendor comment, which can include information regarding links to patches or product updates, please submit the specific text or information from a valid vendor email address and we will post it for the associated CVE.


How do I report a vulnerability to the NVD?
The NIST National Vulnerability Database does not accept vulnerability reports directly. If you would like to report a vulnerability, please contact CERT/CC.


-----Original Message-----
From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On Behalf Of stevos at nwtime.org
Sent: Monday, April 29, 2019 11:32 AM
To: 'Harlan Stenn' <stenn at nwtime.org>; 'Matt Ploessel' <matt.ploessel at gmail.com>; security at ntp.org
Subject: Re: [ntp:security] Fwd: Questions about CVE-2019-11331
Importance: High

Harlan and Matt,

Should we reach out to Art Manion?  

On another note, do we have the CVE#s listed in Bugzilla with the associated bugs that do get reported?  Seems like more folks use the CVE# to call out bugs than they do the numbers we assign to them in Bugzilla.


Steve

-----Original Message-----
From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On Behalf Of Harlan Stenn
Sent: Monday, April 29, 2019 3:53 AM
To: Matt Ploessel <matt.ploessel at gmail.com>; security at ntp.org
Subject: [ntp:security] Fwd: Questions about CVE-2019-11331

Matt,

It looks like somebody opened up this CVE and never notified us.

It also looks like this report is bogus, but I just heard about it in the last few minutes and I'd like to check it out before I say more.

I've already heard from one big customer asking about it, as they gave it a CVSS3 score of 9.8, which seems insane and irresponsible.

Not the sort of thing I want to see at 0345 when I'm about to fall asleep.

H

PS - I'm not sending this encrypted because our PGP key has expired and Brad hasn't had time to refresh that yet.  I've asked him if he can get that done sometime "today".

-------- Forwarded Message --------
Return-Path: <stenn at nwtime.org>
X-Original-To: stenn at nwtime.org
Delivered-To: stenn at nwtime.org
Received: from [10.208.75.157] (75-139-194-196.dhcp.knwc.wa.charter.com
[75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00 +0000 (UTC)
Subject: Re: Questions about CVE-2019-11331
From: Harlan Stenn <stenn at nwtime.org>
To: Marius Rohde <marius.rohde at meinberg.de>
Cc: Steve Sullivan <stevos at nwtime.org>
References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de>
<2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
Openpgp: preference=signencrypt
Autocrypt: addr=stenn at nwtime.org; prefer-encrypt=mutual; keydata=
mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
/s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
/wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>
Date: Mon, 29 Apr 2019 03:43:58 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit

Hi Marius,

Nobody told us about this one.

I'm not certain yet, but this seems completely bogus to me.

I'll loop in some wizards and see what I can find.

H

On 4/29/2019 3:35 AM, Harlan Stenn wrote:
> Hi Marius,
> 
> On 4/29/2019 1:37 AM, Marius Rohde wrote:
>> Hi Harlan,
>>
>> we have seen that the problem with the standard port usage is rated 
>> critical in the CVE database.
>> Do you have more background information? Exists a known exploit, that 
>> is able to do a ntp path-off attack?
> 
> Which bug corresponds to this CVE report?  I'm not seeing it in any of 
> our content.
> 
> H
> --
>> Thank you in advance.
>>
>> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>>
>> *MEINBERG Funkuhren GmbH & Co. KG*
>> Lange Wand 9
>> D-31812 Bad Pyrmont, Germany
>> Phone: +49 (0)5281 9309-485
>> Fax: +49 (0)5281 9309-230
>> Amtsgericht Hannover 17HRA 100322
>> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann, 
>> Heiko Gerstung
>> Email: marius.rohde at meinberg.de <http://marius.rohde@meinberg.de>
>> Internet: www.meinberg.de <https://www.meinberg.de> / 
>> www.meinbergglobal.com <https://www.meinbergglobal.com> / 
>> www.meinberg.academy <https://www.meinberg.academy>
>>
>> ---------------------------------------------------------------------
>> --- *MEINBERG - Solutions for Time and Frequency Synchronization*
>>
> 

--
Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!
_______________________________________________
security mailing list
security at lists.ntp.org
http://lists.ntp.org/listinfo/security

_______________________________________________
security mailing list
security at lists.ntp.org
http://lists.ntp.org/listinfo/security



More information about the security mailing list