ID CVE-2018-7184
Summary ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.
References
Vulnerable Configurations
  • cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*
  • cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*
    cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*
  • cpe:2.3:a:synology:diskstation_manager:5.2:*:*:*:*:*:*:*
    cpe:2.3:a:synology:diskstation_manager:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:synology:diskstation_manager:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:synology:diskstation_manager:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:synology:diskstation_manager:6.1:*:*:*:*:*:*:*
    cpe:2.3:a:synology:diskstation_manager:6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:synology:router_manager:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:synology:router_manager:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
    cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
  • cpe:2.3:a:synology:virtual_diskstation_manager:-:*:*:*:*:*:*:*
    cpe:2.3:a:synology:virtual_diskstation_manager:-:*:*:*:*:*:*:*
  • cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
    cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:14.0:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:14.0:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:14.1:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:14.1:*:*:*:*:*:*:*
  • cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
    cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
  • cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
    cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 24-08-2020 - 17:37)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
refmap via4
bid 103192
bugtraq 20180301 [Newsletter/Marketing] [slackware-security] ntp (SSA:2018-060-02)
confirm
freebsd FreeBSD-SA-18:02
gentoo GLSA-201805-12
misc http://packetstormsecurity.com/files/146631/Slackware-Security-Advisory-ntp-Updates.html
ubuntu USN-3707-1
Last major update 24-08-2020 - 17:37
Published 06-03-2018 - 20:29
Last modified 24-08-2020 - 17:37
Back to Top