CVE-2020-11868

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 17-04-2020 06:15

Last modified: - 26-04-2022 07:05

Total changes: - 4

Description

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=ntp AND product=ntp AND versionEndIncluding=4.2.7

vendor=ntp AND product=ntp AND version=4.2.8 AND update=-

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-beta1

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-beta2

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-beta3

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-beta4

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-beta5

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-rc1

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p1-rc2

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p10

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p11

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p12

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p13

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p2

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p2-rc1

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p2-rc2

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p2-rc3

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p3

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p3-rc1

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p3-rc2

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p3-rc3

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p4

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p5

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p6

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p7

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p8

vendor=ntp AND product=ntp AND version=4.2.8 AND update=p9

vendor=ntp AND product=ntp AND versionStartIncluding=4.3.98 AND versionEndExcluding=4.3.100

vendor=Red Hat Enterprise Linux AND product=enterprise_linux AND version=7.0

vendor=netapp AND product=data_ontap AND version=- AND target_software=7-mode

vendor=netapp AND product=hci_management_node AND version=-

vendor=netapp AND product=solidfire AND version=-

vendor=netapp AND product=vasa_provider_for_clustered_data_ontap AND versionStartIncluding=7.2

vendor=netapp AND product=vasa_provider_for_clustered_data_ontap AND target_software=vsphere AND versionStartIncluding=7.2

vendor=netapp AND product=virtual_storage_console AND target_software=vsphere AND versionStartIncluding=7.2

vendor=netapp AND product=clustered_data_ontap AND version=-

AND

vendor=netapp AND product=hci_storage_node_firmware AND version=-

vendor=netapp AND product=hci_storage_node AND version=-

AND

vendor=netapp AND product=fabric-attached_storage_8300_firmware AND version=-

vendor=netapp AND product=fabric-attached_storage_8300 AND version=-

AND

vendor=netapp AND product=fabric-attached_storage_8700_firmware AND version=-

vendor=netapp AND product=fabric-attached_storage_8700 AND version=-

AND

vendor=netapp AND product=fabric-attached_storage_a400_firmware AND version=-

vendor=netapp AND product=fabric-attached_storage_a400 AND version=-

AND

vendor=netapp AND product=all_flash_fabric-attached_storage_8300_firmware AND version=-

vendor=netapp AND product=all_flash_fabric-attached_storage_8300 AND version=-

AND

vendor=netapp AND product=all_flash_fabric-attached_storage_8700_firmware AND version=-

vendor=netapp AND product=all_flash_fabric-attached_storage_8700 AND version=-

AND

vendor=netapp AND product=all_flash_fabric-attached_storage_a400_firmware AND version=-

vendor=netapp AND product=all_flash_fabric-attached_storage_a400 AND version=-

vendor=Debian AND product=debian_linux AND version=8.0

vendor=opensuse AND product=leap AND version=15.1

vendor=opensuse AND product=leap AND version=15.2

Reference

http://support.ntp.org/bin/view/Main/NtpBug3592
https://bugzilla.redhat.com/show_bug.cgi?id=1716665
https://security.netapp.com/advisory/ntap-20200424-0002/
[debian-lts-announce] 20200505 [SECURITY] [DLA 2201-1] ntp security update-Mailing List, Third Party Advisory
openSUSE-SU-2020:0934-Mailing List, Third Party Advisory
openSUSE-SU-2020:1007-Mailing List, Third Party Advisory
GLSA-202007-12-Third Party Advisory
N/A-Patch, Third Party Advisory

Keywords

CVE-2020-11868

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-11868

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures