First published: Wed Feb 28 2018(Updated: )
ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer -- i.e. one where the attacker knows the private symmetric key -- can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock. Ps.: This is possibly a incomplete fix for <a href="https://access.redhat.com/security/cve/CVE-2016-1549">CVE-2016-1549</a>. References: <a href="http://support.ntp.org/bin/view/Main/NtpBug3415">http://support.ntp.org/bin/view/Main/NtpBug3415</a>
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ntp | <4.2.8 | 4.2.8 |
NTP ntp | >=4.2.0<4.2.8 | |
NTP ntp | >=4.3.0<4.3.92 | |
NTP ntp | =4.2.8 | |
NTP ntp | =4.2.8-p1 | |
NTP ntp | =4.2.8-p1-beta1 | |
NTP ntp | =4.2.8-p1-beta2 | |
NTP ntp | =4.2.8-p1-beta3 | |
NTP ntp | =4.2.8-p1-beta4 | |
NTP ntp | =4.2.8-p1-beta5 | |
NTP ntp | =4.2.8-p1-rc1 | |
NTP ntp | =4.2.8-p1-rc2 | |
NTP ntp | =4.2.8-p2 | |
NTP ntp | =4.2.8-p2-rc1 | |
NTP ntp | =4.2.8-p2-rc2 | |
NTP ntp | =4.2.8-p2-rc3 | |
NTP ntp | =4.2.8-p3 | |
NTP ntp | =4.2.8-p3-rc1 | |
NTP ntp | =4.2.8-p3-rc2 | |
NTP ntp | =4.2.8-p3-rc3 | |
NTP ntp | =4.2.8-p4 | |
NTP ntp | =4.2.8-p5 | |
NTP ntp | =4.2.8-p6 | |
Synology DiskStation Manager | >=5.2<6.1.6-15266 | |
Synology Router Manager | >=1.1<1.1.6-6931-3 | |
Synology Skynas | <6.1.5-15254 | |
Synology Virtual Diskstation Manager | <6.1.6-15266 | |
Synology Vs960hd Firmware | <2.2.3-1505 | |
Synology Vs960hd | ||
Netapp Hci | ||
Netapp Solidfire | ||
Hpe Hpux-ntp | <c.4.2.8.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-7170 is a vulnerability in ntpd which allows authenticated users to create arbitrary associations and modify a victim's clock via a Sybil attack.
Versions of ntp before 4.2.8p7 and 4.3.x before 4.3.92 are affected by CVE-2018-7170.
An attacker with knowledge of the private symmetric key can exploit CVE-2018-7170 to create arbitrary associations and modify a victim's clock via a Sybil attack.
The severity of CVE-2018-7170 is medium with a CVSS score of 5.3.
To fix CVE-2018-7170, it is recommended to update ntp to version 4.2.8p7 or 4.3.0 or later.