[ntp:security] Fwd: Questions about CVE-2019-11331

Danny Mayer mayer at ntp.org
Wed May 1 13:41:47 UTC 2019


Matt,

Harlan and I are of the opinion that the report is invalid. I don't know
who reported it, but they should provide at least a proof of concept
that it is valid otherwise it should be rejected.  We are not even sure
how it got such a high score.

Danny

On 4/30/19 9:10 AM, Matt Ploessel wrote:
> NTPD Sec Team,
>
> I’ve CC’ing here Cameron and Justin and Tom from US-CERT (CISA) , and
> Stan from MITRE. 
>
> Tom/Cameron/Stan et al;
> anything you could tell us (Network Time Foundation / NTPD) about
> the CVE-2019-11331 ? it’s rated 9.8 but we (the vendor and code
> maintainers) don’t know anything about it and honestly could use some
> assistance/clarification.
>
> Matt Ploessel
> Board Member
> Network Time Foundation
>
>
> On Tue, Apr 30, 2019 at 9:00 AM Matt Ploessel <matt.ploessel at gmail.com
> <mailto:matt.ploessel at gmail.com>> wrote:
>
>     i’ll be in pittsburgh the next few days for meetings, I can try
>     and swing by cert/cc @ carnegie mellon. I’ve also reached out to
>     stan (MITRE contact) for clarification and details on the cve. 
>
>
>     On Mon, Apr 29, 2019 at 5:09 PM <stevos at nwtime.org
>     <mailto:stevos at nwtime.org>> wrote:
>
>         This could come in handy for this new issue:
>         https://nvd.nist.gov/general/faq#eeabbb01-eb9f-488d-ac31-40a8b92c1473
>
>         a couple of items from that page:
>
>         What happens after a vulnerability is identified?
>         CVE identifiers are assigned by CVE and other CVE Numbering
>         Authorities (CNAs). The NVD receives data feeds from the CVE
>         website and in turn performs analysis to determine impact
>         metrics (CVSS), vulnerability types (CWE), and applicability
>         statements (CPE), as well as other pertinent metadata. The NVD
>         does not actively perform vulnerability testing, relying on
>         vendors and third party security researchers to provide
>         information that is then used assign these attributes. We then
>         perform additional research to confirm that CPEs comply with
>         CPE specifications and include them in the official CPE
>         dictionary. As additional information becomes available CVSS
>         scores and configurations are subject to change.
>
>         ***A vulnerability has been identified, and possibly a CVE has
>         been assigned, why is it not in your database?
>         Although a CVE ID may have been assigned by either CVE or a
>         CAN, it will not be available in the NVD if it has a status of
>         RESERVED by CVE. Please check the CVE dictionary first, and if
>         you have further questions about a specific CVE and when it
>         will be available, please contact cve at mitre.org
>         <mailto:cve at mitre.org> directly.
>
>         ***I have found an error within an NVD Vulnerability Summary,
>         what should I do?
>         Go to https://cveform.mitre.org/ to request updates to the
>         vulnerability descriptions, with an explanation of the error
>         and any relevant details (e.g. sources of information that
>         demonstrate the error). If it is determined that a CVE
>         vulnerability summary should be revised, they will update
>         their data feed, which will generally be updated in the NVD
>         within 24 hours of an update to the CVE data feed. When you
>         hear that the vulnerability description will be updated please
>         email the NVD to ensure any required changes occur.
>
>         One of the links provided with the CVE points to an incorrect
>         hyperlink, what should I do?
>         If you discover that a hyperlink does not reference the
>         correct CVE please email cve at mitre.org <mailto:cve at mitre.org>
>         with the incorrect link and any other applicable information.
>
>         ***I am a software vendor and want to dispute that a
>         vulnerability exists. What should I do?
>         The NVD is based upon the CVE standard vulnerability
>         dictionary. To dispute a vulnerability, contact the CVE
>         Editorial Board (and carbon copy the NVD) Any action taken
>         will be published in the CVE dictionary data feeds, and
>         reflected on the NVD Vulnerability summary page within 24 hours.
>
>
>         ***I would like to dispute the score of a vulnerability. What
>         should I do?
>         If you believe a score should be changed based on publicly
>         available information that may not have been available at the
>         time of the scoring please email including the CVE ID and a
>         description of the issue with supporting public information
>         and the NVD analysts will review the score and respond
>         appropriately.
>
>
>         The vulnerability has been remediated; can you remove the CVE
>         from the NVD?
>         The NVD does not remove vulnerabilities from the database. If
>         you wish to dispute a CVE, please contact the CVE Editorial
>         Board who controls the assignment, description, and
>         deprecation of CVEs. If it is determined that a CVE should not
>         have been assigned, they will update their data feed, which
>         will then be updated in the NVD feeds within 24 hours.
>
>         ***** Does NTF do this now? *****
>         *****What is the NVD Vendor Official Statement Service?
>         If you would like to provide an official vendor comment, which
>         can include information regarding links to patches or product
>         updates, please submit the specific text or information from a
>         valid vendor email address and we will post it for the
>         associated CVE.
>
>
>         How do I report a vulnerability to the NVD?
>         The NIST National Vulnerability Database does not accept
>         vulnerability reports directly. If you would like to report a
>         vulnerability, please contact CERT/CC.
>
>
>         -----Original Message-----
>         From: security
>         <security-bounces+stevos=nwtime.org at lists.ntp.org
>         <mailto:nwtime.org at lists.ntp.org>> On Behalf Of
>         stevos at nwtime.org <mailto:stevos at nwtime.org>
>         Sent: Monday, April 29, 2019 11:32 AM
>         To: 'Harlan Stenn' <stenn at nwtime.org
>         <mailto:stenn at nwtime.org>>; 'Matt Ploessel'
>         <matt.ploessel at gmail.com <mailto:matt.ploessel at gmail.com>>;
>         security at ntp.org <mailto:security at ntp.org>
>         Subject: Re: [ntp:security] Fwd: Questions about CVE-2019-11331
>         Importance: High
>
>         Harlan and Matt,
>
>         Should we reach out to Art Manion? 
>
>         On another note, do we have the CVE#s listed in Bugzilla with
>         the associated bugs that do get reported?  Seems like more
>         folks use the CVE# to call out bugs than they do the numbers
>         we assign to them in Bugzilla.
>
>
>         Steve
>
>         -----Original Message-----
>         From: security
>         <security-bounces+stevos=nwtime.org at lists.ntp.org
>         <mailto:nwtime.org at lists.ntp.org>> On Behalf Of Harlan Stenn
>         Sent: Monday, April 29, 2019 3:53 AM
>         To: Matt Ploessel <matt.ploessel at gmail.com
>         <mailto:matt.ploessel at gmail.com>>; security at ntp.org
>         <mailto:security at ntp.org>
>         Subject: [ntp:security] Fwd: Questions about CVE-2019-11331
>
>         Matt,
>
>         It looks like somebody opened up this CVE and never notified us.
>
>         It also looks like this report is bogus, but I just heard
>         about it in the last few minutes and I'd like to check it out
>         before I say more.
>
>         I've already heard from one big customer asking about it, as
>         they gave it a CVSS3 score of 9.8, which seems insane and
>         irresponsible.
>
>         Not the sort of thing I want to see at 0345 when I'm about to
>         fall asleep.
>
>         H
>
>         PS - I'm not sending this encrypted because our PGP key has
>         expired and Brad hasn't had time to refresh that yet.  I've
>         asked him if he can get that done sometime "today".
>
>         -------- Forwarded Message --------
>         Return-Path: <stenn at nwtime.org <mailto:stenn at nwtime.org>>
>         X-Original-To: stenn at nwtime.org <mailto:stenn at nwtime.org>
>         Delivered-To: stenn at nwtime.org <mailto:stenn at nwtime.org>
>         Received: from [10.208.75.157]
>         (75-139-194-196.dhcp.knwc.wa.charter.com
>         <http://75-139-194-196.dhcp.knwc.wa.charter.com>
>         [75.139.194.196]) (using TLSv1 with cipher AES256-SHA (256/256
>         bits)) (No client certificate requested) by
>         chessie.everett.org <http://chessie.everett.org> (Postfix)
>         with ESMTPSA id 44t1VS3XtgzL7N; Mon, 29 Apr 2019 10:44:00
>         +0000 (UTC)
>         Subject: Re: Questions about CVE-2019-11331
>         From: Harlan Stenn <stenn at nwtime.org <mailto:stenn at nwtime.org>>
>         To: Marius Rohde <marius.rohde at meinberg.de
>         <mailto:marius.rohde at meinberg.de>>
>         Cc: Steve Sullivan <stevos at nwtime.org <mailto:stevos at nwtime.org>>
>         References: <1747911970-17953 at srv-kerioconnect.py.meinberg.de
>         <mailto:1747911970-17953 at srv-kerioconnect.py.meinberg.de>>
>         <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org
>         <mailto:2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>>
>         Openpgp: preference=signencrypt
>         Autocrypt: addr=stenn at nwtime.org <mailto:stenn at nwtime.org>;
>         prefer-encrypt=mutual; keydata=
>         mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H
>         ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb
>         OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY
>         ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ
>         MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF
>         aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR
>         L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6
>         L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91
>         bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG
>         FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB
>         gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I
>         51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE
>         6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq
>         NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V
>         /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z
>         qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo
>         eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk
>         I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k
>         WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD
>         OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p
>         Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i
>         wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ
>         5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO
>         vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j
>         XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK
>         CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3
>         Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F
>         cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w
>         RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP
>         99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le
>         h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj
>         4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1
>         yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr
>         f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST
>         T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug
>         zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9
>         r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr
>         /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+
>         tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA
>         qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ
>         Message-ID: <f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org
>         <mailto:f7f8449c-5440-334f-0e0c-e97628354e44 at nwtime.org>>
>         Date: Mon, 29 Apr 2019 03:43:58 -0700
>         User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)
>         Gecko/20100101
>         Thunderbird/60.6.1
>         MIME-Version: 1.0
>         In-Reply-To: <2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org
>         <mailto:2d2b3cfb-a8eb-f7aa-f832-ebcc33de8b5f at nwtime.org>>
>         Content-Type: text/plain; charset=utf-8
>         Content-Language: en-US
>         Content-Transfer-Encoding: 8bit
>
>         Hi Marius,
>
>         Nobody told us about this one.
>
>         I'm not certain yet, but this seems completely bogus to me.
>
>         I'll loop in some wizards and see what I can find.
>
>         H
>
>         On 4/29/2019 3:35 AM, Harlan Stenn wrote:
>         > Hi Marius,
>         >
>         > On 4/29/2019 1:37 AM, Marius Rohde wrote:
>         >> Hi Harlan,
>         >>
>         >> we have seen that the problem with the standard port usage
>         is rated
>         >> critical in the CVE database.
>         >> Do you have more background information? Exists a known
>         exploit, that
>         >> is able to do a ntp path-off attack?
>         >
>         > Which bug corresponds to this CVE report?  I'm not seeing it
>         in any of
>         > our content.
>         >
>         > H
>         > --
>         >> Thank you in advance.
>         >>
>         >> Mit freundlichem Gruß / With kind regards *Marius Rohde*
>         >>
>         >> *MEINBERG Funkuhren GmbH & Co. KG*
>         >> Lange Wand 9
>         >> D-31812 Bad Pyrmont, Germany
>         >> Phone: +49 (0)5281 9309-485
>         >> Fax: +49 (0)5281 9309-230
>         >> Amtsgericht Hannover 17HRA 100322
>         >> Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre
>         Hartmann,
>         >> Heiko Gerstung
>         >> Email: marius.rohde at meinberg.de
>         <mailto:marius.rohde at meinberg.de>
>         <http://marius.rohde@meinberg.de>
>         >> Internet: www.meinberg.de <http://www.meinberg.de>
>         <https://www.meinberg.de> /
>         >> www.meinbergglobal.com <http://www.meinbergglobal.com>
>         <https://www.meinbergglobal.com> /
>         >> www.meinberg.academy <https://www.meinberg.academy>
>         >>
>         >>
>         ---------------------------------------------------------------------
>         >> --- *MEINBERG - Solutions for Time and Frequency
>         Synchronization*
>         >>
>         >
>
>         --
>         Harlan Stenn, Network Time Foundation
>         http://nwtime.org - be a Member!
>         _______________________________________________
>         security mailing list
>         security at lists.ntp.org <mailto:security at lists.ntp.org>
>         http://lists.ntp.org/listinfo/security
>
>         _______________________________________________
>         security mailing list
>         security at lists.ntp.org <mailto:security at lists.ntp.org>
>         http://lists.ntp.org/listinfo/security
>
>
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20190501/eb6aa8aa/attachment.html>


More information about the security mailing list