Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717798 (CVE-2020-11868) - <net-misc/ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-11868)
Summary: <net-misc/ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-11868)
Status: IN_PROGRESS
Alias: CVE-2020-11868
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa? cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 05:10 UTC by Sam James (sec padawan)
Modified: 2020-05-13 17:14 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/ntp-4.2.8_p14-r2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James (sec padawan) 2020-04-17 05:10:43 UTC
1) CVE-2020-11868 / NTP Bug 3592

"The fix for https://bugs.ntp.org/3445 introduced a bug whereby a system that is running ntp-4.2.8p12 or p13 that only has one unauthenticated time source can be attacked in a way that causes the victim's next poll to its source to be delayed, for as long as the attack is maintained."

URL: http://support.ntp.org/bin/view/Main/NtpBug3592

2) NTP Bug 3596

"A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. The attacker must be able to send and the victim must be able to receive and process a large number of packets with the spoofed IPv4 address of the upstream server. After 8 or more successful attacks in a row, the attacker can either modify the victim's clock by a limited amount or cause ntpd to exit. This attack is most effective in cases where an unusually short poll interval is expressly configured on the victim's ntpd."

https://support.ntp.org/bin/view/Main/NtpBug3596
Comment 1 Sam James (sec padawan) 2020-04-17 05:11:15 UTC
@maintainer(s), please advise if ready for stabilisation or call yourself
Comment 2 Sam James (sec padawan) 2020-05-02 16:39:11 UTC
acked by Polynomial-C, thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2020-05-03 10:02:32 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-05-03 10:13:10 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-05-03 10:22:41 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-05-03 10:25:48 UTC
sparc stable
Comment 7 Sam James (sec padawan) 2020-05-04 06:22:39 UTC
arm64 stable
Comment 8 Rolf Eike Beer 2020-05-07 19:49:07 UTC
hppa stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-11 16:50:43 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-13 17:12:56 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-13 17:14:51 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.