CVE-2018-8956

NameCVE-2018-8956
Descriptionntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote attackers to prevent a broadcast client from synchronizing its clock with a broadcast NTP server via soofed mode 3 and mode 5 packets. The attacker must either be a part of the same broadcast network or control a slave in that broadcast network that can capture certain required packets on the attacker's behalf and send them to the attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntp (PTS)jessie, jessie (lts)1:4.2.6.p5+dfsg-7+deb8u3vulnerable
stretch1:4.2.8p10+dfsg-3+deb9u2vulnerable
buster, buster (lts)1:4.2.8p12+dfsg-4+deb10u1vulnerable
bullseye1:4.2.8p15+dfsg-1fixed
ntpsec (PTS)buster1.1.3+dfsg1-2+deb10u1fixed
bullseye1.2.0+dfsg1-4fixed
bookworm (security), bookworm1.2.2+dfsg1-1+deb12u1fixed
sid, trixie1.2.3+dfsg1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsource(unstable)1:4.2.8p14+dfsg-1low
ntpsecsource(unstable)(not affected)

Notes

[buster] - ntp <ignored> (Minor issue)
[stretch] - ntp <no-dsa> (Minor issue)
[jessie] - ntp <postponed> (Minor issue, requires being part of same broadcast network, no patch)
- ntpsec <not-affected> (Broadcast mode not present, see #961748)
https://arxiv.org/abs/2005.01783
https://nikhiltripathi.in/NTP_attack.pdf
https://tools.ietf.org/html/rfc5905
[wheezy] - ntp <no-dsa> (Minor issue, no patch)

Search for package or bug name: Reporting problems