[ntp:security] Fwd: Questions about CVE-2019-11331

Matt Ploessel matt.ploessel at gmail.com
Tue Apr 30 13:10:33 UTC 2019


NTPD Sec Team,

I’ve CC’ing here Cameron and Justin and Tom from US-CERT (CISA) , and Stan
from MITRE.

Tom/Cameron/Stan et al;
anything you could tell us (Network Time Foundation / NTPD) about the
CVE-2019-11331
? it’s rated 9.8 but we (the vendor and code maintainers) don’t know
anything about it and honestly could use some assistance/clarification.

Matt Ploessel
Board Member
Network Time Foundation


On Tue, Apr 30, 2019 at 9:00 AM Matt Ploessel <matt.ploessel at gmail.com>
wrote:

> i’ll be in pittsburgh the next few days for meetings, I can try and swing
> by cert/cc @ carnegie mellon. I’ve also reached out to stan (MITRE contact)
> for clarification and details on the cve.
>
>
> On Mon, Apr 29, 2019 at 5:09 PM <stevos at nwtime.org> wrote:
>
>> This could come in handy for this new issue:
>> https://nvd.nist.gov/general/faq#eeabbb01-eb9f-488d-ac31-40a8b92c1473
>>
>> a couple of items from that page:
>>
>> What happens after a vulnerability is identified?
>> CVE identifiers are assigned by CVE and other CVE Numbering Authorities
>> (CNAs). The NVD receives data feeds from the CVE website and in turn
>> performs analysis to determine impact metrics (CVSS), vulnerability types
>> (CWE), and applicability statements (CPE), as well as other pertinent
>> metadata. The NVD does not actively perform vulnerability testing, relying
>> on vendors and third party security researchers to provide information that
>> is then used assign these attributes. We then perform additional research
>> to confirm that CPEs comply with CPE specifications and include them in the
>> official CPE dictionary. As additional information becomes available CVSS
>> scores and configurations are subject to change.
>>
>> ***A vulnerability has been identified, and possibly a CVE has been
>> assigned, why is it not in your database?
>> Although a CVE ID may have been assigned by either CVE or a CAN, it will
>> not be available in the NVD if it has a status of RESERVED by CVE. Please
>> check the CVE dictionary first, and if you have further questions about a
>> specific CVE and when it will be available, please contact cve at mitre.org
>> directly.
>>
>> ***I have found an error within an NVD Vulnerability Summary, what should
>> I do?
>> Go to https://cveform.mitre.org/ to request updates to the vulnerability
>> descriptions, with an explanation of the error and any relevant details
>> (e.g. sources of information that demonstrate the error). If it is
>> determined that a CVE vulnerability summary should be revised, they will
>> update their data feed, which will generally be updated in the NVD within
>> 24 hours of an update to the CVE data feed. When you hear that the
>> vulnerability description will be updated please email the NVD to ensure
>> any required changes occur.
>>
>> One of the links provided with the CVE points to an incorrect hyperlink,
>> what should I do?
>> If you discover that a hyperlink does not reference the correct CVE
>> please email cve at mitre.org with the incorrect link and any other
>> applicable information.
>>
>> ***I am a software vendor and want to dispute that a vulnerability
>> exists. What should I do?
>> The NVD is based upon the CVE standard vulnerability dictionary. To
>> dispute a vulnerability, contact the CVE Editorial Board (and carbon copy
>> the NVD) Any action taken will be published in the CVE dictionary data
>> feeds, and reflected on the NVD Vulnerability summary page within 24 hours.
>>
>>
>> ***I would like to dispute the score of a vulnerability. What should I do?
>> If you believe a score should be changed based on publicly available
>> information that may not have been available at the time of the scoring
>> please email including the CVE ID and a description of the issue with
>> supporting public information and the NVD analysts will review the score
>> and respond appropriately.
>>
>>
>> The vulnerability has been remediated; can you remove the CVE from the
>> NVD?
>> The NVD does not remove vulnerabilities from the database. If you wish to
>> dispute a CVE, please contact the CVE Editorial Board who controls the
>> assignment, description, and deprecation of CVEs. If it is determined that
>> a CVE should not have been assigned, they will update their data feed,
>> which will then be updated in the NVD feeds within 24 hours.
>>
>> ***** Does NTF do this now? *****
>> *****What is the NVD Vendor Official Statement Service?
>> If you would like to provide an official vendor comment, which can
>> include information regarding links to patches or product updates, please
>> submit the specific text or information from a valid vendor email address
>> and we will post it for the associated CVE.
>>
>>
>> How do I report a vulnerability to the NVD?
>> The NIST National Vulnerability Database does not accept vulnerability
>> reports directly. If you would like to report a vulnerability, please
>> contact CERT/CC.
>>
>>
>> -----Original Message-----
>> From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On
>> Behalf Of stevos at nwtime.org
>> Sent: Monday, April 29, 2019 11:32 AM
>> To: 'Harlan Stenn' <stenn at nwtime.org>; 'Matt Ploessel' <
>> matt.ploessel at gmail.com>; security at ntp.org
>> Subject: Re: [ntp:security] Fwd: Questions about CVE-2019-11331
>> Importance: High
>>
>> Harlan and Matt,
>>
>> Should we reach out to Art Manion?
>>
>> On another note, do we have the CVE#s listed in Bugzilla with the
>> associated bugs that do get reported?  Seems like more folks use the CVE#
>> to call out bugs than they do the numbers we assign to them in Bugzilla.
>>
>>
>> Steve
>>
>> -----Original Message-----
>> From: security <security-bounces+stevos=nwtime.org at lists.ntp.org> On
>> Behalf Of Harlan Stenn
>> Sent: Monday, April 29, 2019 3:53 AM
>> To: Matt Ploessel <matt.ploessel at gmail.com>; security at ntp.org
>> Subject: [ntp:security] Fwd: Questions about CVE-2019-11331
>>
>> Matt,
>>
>> It looks like somebody opened up this CVE and never notified us.
>>
>> It also looks like this report is bogus, but I just heard about it in the
>> last few minutes and I'd like to check it out before I say more.
>>
>> I've already heard from one big customer asking about it, as they gave it
>> a CVSS3 score of 9.8, which seems insane and irresponsible.
>>
>> Not the sort of thing I want to see at 0345 when I'm about to fall asleep.
>>
>> H
>>
>> PS - I'm not sending this encrypted because our PGP key has expired and
>> Brad hasn't had time to refresh that yet.  I've asked him if he can get
>> that done sometime "today".
>>
>> -------- Forwarded Message --------
>> Return-Path: <stenn at nwtime.org>
>> X-Original-To: stenn at nwtime.org
>> Delivered-To: stenn at nwtime.org
>> Received: from [10.208.75.157] (75-139-194-196.dhcp.knwc.wa.charter.com
>> [75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No
>> client certificate requested) by chessie.everett.org (Postfix) with
>> ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00 +0000 (UTC)
>> Subject: Re: Questions about CVE-2019-11331
>> From: Harlan Stenn <stenn at nwtime.org>
>> To: Marius Rohde <marius.rohde at meinberg.de>
>> Cc: Steve Sullivan <stevos at nwtime.org>
>> References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de>
>> <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
>> Openpgp: preference=signencrypt
>> Autocrypt: addr=stenn at nwtime.org; prefer-encrypt=mutual; keydata=
>> mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
>> ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
>> OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
>> ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
>> MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
>> aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
>> L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
>> L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
>> bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
>> FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
>> gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
>> 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
>> 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
>> NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
>> /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
>> qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
>> eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
>> I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
>> WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
>> OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
>> Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
>> wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
>> 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
>> vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
>> XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
>> CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
>> Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
>> cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
>> RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
>> 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
>> h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
>> 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
>> yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
>> f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
>> T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
>> zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
>> r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
>> /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
>> tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
>> qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
>> Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>
>> Date: Mon, 29 Apr 2019 03:43:58 -0700
>> User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
>> Thunderbird/60.6.1
>> MIME-Version: 1.0
>> In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>
>> Content-Type: text/plain; charset=utf-8
>> Content-Language: en-US
>> Content-Transfer-Encoding: 8bit
>>
>> Hi Marius,
>>
>> Nobody told us about this one.
>>
>> I'm not certain yet, but this seems completely bogus to me.
>>
>> I'll loop in some wizards and see what I can find.
>>
>> H
>>
>> On 4/29/2019 3:35 AM, Harlan Stenn wrote:
>> > Hi Marius,
>> >
>> > On 4/29/2019 1:37 AM, Marius Rohde wrote:
>> >> Hi Harlan,
>> >>
>> >> we have seen that the problem with the standard port usage is rated
>> >> critical in the CVE database.
>> >> Do you have more background information? Exists a known exploit, that
>> >> is able to do a ntp path-off attack?
>> >
>> > Which bug corresponds to this CVE report?  I'm not seeing it in any of
>> > our content.
>> >
>> > H
>> > --
>> >> Thank you in advance.
>> >>
>> >> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>> >>
>> >> *MEINBERG Funkuhren GmbH & Co. KG*
>> >> Lange Wand 9
>> >> D-31812 Bad Pyrmont, Germany
>> >> Phone: +49 (0)5281 9309-485
>> >> Fax: +49 (0)5281 9309-230
>> >> Amtsgericht Hannover 17HRA 100322
>> >> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann,
>> >> Heiko Gerstung
>> >> Email: marius.rohde at meinberg.de <http://marius.rohde@meinberg.de>
>> >> Internet: www.meinberg.de <https://www.meinberg.de> /
>> >> www.meinbergglobal.com <https://www.meinbergglobal.com> /
>> >> www.meinberg.academy <https://www.meinberg.academy>
>> >>
>> >> ---------------------------------------------------------------------
>> >> --- *MEINBERG - Solutions for Time and Frequency Synchronization*
>> >>
>> >
>>
>> --
>> Harlan Stenn, Network Time Foundation
>> http://nwtime.org - be a Member!
>> _______________________________________________
>> security mailing list
>> security at lists.ntp.org
>> http://lists.ntp.org/listinfo/security
>>
>> _______________________________________________
>> security mailing list
>> security at lists.ntp.org
>> http://lists.ntp.org/listinfo/security
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20190430/a609725f/attachment.html>


More information about the security mailing list