CVE-2018-7184

HIGH

ntp 4.2.8p4-4.2.8p10 - Remote Denial of Service via Zero-Origin Timestamp

Title source: llm
STIX 2.1

Description

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103192
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201805-12
Third Party Advisory vendor-advisory x_refsource_freebsd
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180626-0001/
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/541824/100/0/threaded
Third Party Advisory x_refsource_confirm
http://support.ntp.org/bin/view/Main/NtpBug3453
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3707-1/
Third Party Advisory x_refsource_confirm
https://www.synology.com/support/security/Synology_SA_18_13

Scores

CVSS v3 7.5
EPSS 0.1313
EPSS Percentile 94.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (17)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 17.10
canonical/ubuntu_linux 18.04
netapp/cloud_backup
netapp/steelstore_cloud_integrated_storage
ntp/ntp 4.2.8 p10 (7 CPE variants)
slackware/slackware_linux 14.0
slackware/slackware_linux 14.1
slackware/slackware_linux 14.2
... and 7 more
Published Mar 06, 2018
Tracked Since Feb 18, 2026