CVE-2020-13817

HIGH

Ntp < 4.2.8 - Denial of Service

Title source: rule

Description

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.

References (7)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html

[Third Party Advisory] https://security.gentoo.org/glsa/202007-12

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Vendor Advisory] http://support.ntp.org/bin/view/Main/NtpBug3596

[Issue Tracking, Vendor Advisory] https://bugs.ntp.org/show_bug.cgi?id=3596

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200625-0004/

Scores

CVSS v3 7.4

EPSS 0.0035

EPSS Percentile 57.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-330

Status published

Products (24)

fujitsu/m10-1_firmware < xcp2410

fujitsu/m10-4_firmware < xcp2410

fujitsu/m10-4s_firmware < xcp2410

fujitsu/m12-1_firmware < xcp2410

fujitsu/m12-2_firmware < xcp2410

fujitsu/m12-2s_firmware < xcp2410

netapp/cloud_backup

netapp/clustered_data_ontap

netapp/data_ontap

netapp/element_software

... and 14 more

Published Jun 04, 2020

Tracked Since Feb 18, 2026