CVE-2018-8956

NameCVE-2018-8956
Descriptionntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. The attacker must either be a part of the same broadcast network or control a slave in that broadcast network that can capture certain required packets on the attacker's behalf and send them to the attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntp (PTS)jessie1:4.2.6.p5+dfsg-7+deb8u2vulnerable
jessie (security)1:4.2.6.p5+dfsg-7+deb8u3vulnerable
stretch1:4.2.8p10+dfsg-3+deb9u2vulnerable
buster1:4.2.8p12+dfsg-4vulnerable
bullseye, sid1:4.2.8p14+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsource(unstable)(unfixed)low

Notes

[buster] - ntp <no-dsa> (Minor issue)
[stretch] - ntp <no-dsa> (Minor issue)
[jessie] - ntp <postponed> (Minor issue, requires being part of same broadcast network, no patch)
https://arxiv.org/abs/2005.01783
https://nikhiltripathi.in/NTP_attack.pdf
https://tools.ietf.org/html/rfc5905
check ntpsec

Search for package or bug name: Reporting problems