CVE-2018-7170

Published: 06 March 2018

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
Upstream
Released (4.2.8p11)
Ubuntu 21.10 (Impish Indri)
Released (1:4.2.8p11+dfsg-1ubuntu1)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:4.2.8p11+dfsg-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:4.2.8p11+dfsg-1ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a5dab3a2_FQ3mvEDDduCKFCgMUHxg
Upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a5ecbd3TlxNJ-4bhpgNPrNnk0qyRA
Upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a682fbb3GRmeAsQBMaL14IFQKVWIQ
Upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a6acee9cAeq0Mxp-nKXzoZdyFjupQ