Multiple vulnerabilities in NTPsec
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2019-6442 CVE-2019-6443 CVE-2019-6444 CVE-2019-6445 |
| CWE-ID | CWE-787 CWE-125 CWE-476 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
NTPsec Client/Desktop applications / Encryption software |
| Vendor | The NTPsec project |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU17181
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6442
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The weakness exists due to the affected software allows one byte to be written out of bounds in the ntpd daemon, related to the config_remotely function in the ntp_config.c source code file, the yyparse function in the ntp_parser.tab.c source code file, and the yyerror function in the ntp_parser.y source code file. A remote attacker can send a configuration request that submits malicious input, trigger ou-of-bounds write and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 1.1.3.
Vulnerable software versionsNTPsec: 0.9.0 - 1.1.2
External linkshttp://dumpco.re/blog/ntpsec-bugs
http://dumpco.re/bugs/ntpsec-authed-oobwrite
http://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWS
http://www.exploit-db.com/exploits/46178/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Stack out-of-bounds read
EUVDB-ID: #VU17182
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6443
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a bug in ctl_getitem. A remote attacker can trigger a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd and perform a denial of service attack.
MitigationUpdate to version 1.1.3.
Vulnerable software versionsNTPsec: 0.9.0 - 1.1.2
External linkshttp://dumpco.re/blog/ntpsec-bugs
http://dumpco.re/bugs/ntpsec-oobread1
http://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWS
http://www.exploit-db.com/exploits/46175/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Stack out-of-bounds read
EUVDB-ID: #VU17183
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6444
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to attacker-controlled data is dereferenced by ntohl() in ntpd. A remote attacker can trigger stack-based buffer over-read in process_control() in ntp_control.c perform a denial of service attack.
MitigationUpdate to version 1.1.3.
Vulnerable software versionsNTPsec: 0.9.0 - 1.1.2
External linkshttp://dumpco.re/blog/ntpsec-bugs
http://dumpco.re/bugs/ntpsec-oobread2
http://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWS
http://www.exploit-db.com/exploits/46176/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) NULL pointer dereference
EUVDB-ID: #VU17184
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6445
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote authenticated attacker can trigger NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. A remote attacker can perform a denial of service (DoS) attack.
MitigationUpdate to version 1.1.3.
Vulnerable software versionsNTPsec: 0.9.0 - 1.1.2
External linkshttp://dumpco.re/blog/ntpsec-bugs
http://dumpco.re/bugs/ntpsec-authed-npe
http://github.com/ntpsec/ntpsec/blob/NTPsec_1_1_3/NEWS
http://www.exploit-db.com/exploits/46177/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
