Candidate: CVE-2018-7170
PublicDate: 2018-03-06 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170
 http://www.kb.cert.org/vuls/id/961909
 http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
Description:
 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows
 authenticated users that know the private symmetric key to create
 arbitrarily-many ephemeral associations in order to win the clock selection
 of ntpd and modify a victim's clock via a Sybil attack. This issue exists
 because of an incomplete fix for CVE-2016-1549.
Ubuntu-Description:
Notes:
Bugs:
 http://support.ntp.org/bin/view/Main/NtpBug3415
Priority: low
Discovered-by: Matt Van Gundy
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N [5.3 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N [5.3 MEDIUM]


Patches_ntp:
 upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a5dab3a2_FQ3mvEDDduCKFCgMUHxg
 upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a5ecbd3TlxNJ-4bhpgNPrNnk0qyRA
 upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a682fbb3GRmeAsQBMaL14IFQKVWIQ
 upstream: http://bk.ntp.org/ntp-stable/?PAGE=cset&REV=5a6acee9cAeq0Mxp-nKXzoZdyFjupQ
upstream_ntp: released (4.2.8p11)
precise/esm_ntp: ignored (end of ESM support, was needed)
trusty_ntp: ignored (reached end-of-life)
trusty/esm_ntp: needed
xenial_ntp: ignored (end of standard support, was needed)
esm-infra/xenial_ntp: needed
artful_ntp: ignored (reached end-of-life)
bionic_ntp: needed
cosmic_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
disco_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
eoan_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
focal_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
groovy_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
hirsute_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
impish_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
jammy_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)
devel_ntp: released (1:4.2.8p11+dfsg-1ubuntu1)