ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
2018-03-06T20:29:01.297
2025-01-14T19:29:55.853
Modified
CVSSv3.1: 5.3 (MEDIUM)
AV:N/AC:M/Au:S/C:N/I:P/A:N
6.8
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | ntp | ntp | < 4.2.8 | Yes |
| Application | ntp | ntp | < 4.3.92 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | ntp | ntp | 4.2.8 | Yes |
| Application | synology | router_manager | < 1.1.6-6931-3 | Yes |
| Application | synology | skynas | < 6.1.5-15254 | Yes |
| Application | synology | virtual_diskstation_manager | < 6.1.6-15266 | Yes |
| Operating System | synology | diskstation_manager | < 6.1.6-15266 | Yes |
| Operating System | synology | vs960hd_firmware | < 2.2.3-1505 | Yes |
| Hardware | synology | vs960hd | - | No |
| Application | netapp | hci | - | Yes |
| Application | netapp | solidfire | - | Yes |
| Application | hpe | hpux-ntp | < c.4.2.8.4.0 | Yes |