CVE-2020-11868

high-risk

Published 2020-04-17

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp.

Do I need to act?

1.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Ntp

Affected Vendors

Debian Redhat Ntp Netapp Opensuse

References (16)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html

Patch http://support.ntp.org/bin/view/Main/NtpBug3592

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1716665

Mailing List https://lists.debian.org/debian-lts-announce/2020/05/msg00004.html

Third Party Advisory https://security.gentoo.org/glsa/202007-12

Third Party Advisory https://security.netapp.com/advisory/ntap-20200424-0002/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html

Patch http://support.ntp.org/bin/view/Main/NtpBug3592

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1716665

Mailing List https://lists.debian.org/debian-lts-announce/2020/05/msg00004.html

Third Party Advisory https://security.gentoo.org/glsa/202007-12

Third Party Advisory https://security.netapp.com/advisory/ntap-20200424-0002/

Patch https://www.oracle.com//security-alerts/cpujul2021.html

/ 100

high-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 25/34 · High