CVE-2020-13817 — HIGH (7.4)

Q: How severe is CVE-2020-13817?

CVE-2020-13817 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-13817?

Check the references section above for vendor advisories and patch information. Affected products include: Ntp Ntp, Netapp Cloud Backup, Netapp Clustered Data Ontap, Netapp Data Ontap, Netapp Element Software.

Vulnerability Description

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ntp	Ntp	< 4.2.8
Netapp	Cloud Backup	-
Netapp	Clustered Data Ontap	-
Netapp	Data Ontap	-
Netapp	Element Software	-
Netapp	Hci Management Node	-
Netapp	Ontap Tools	-
Netapp	Solidfire	-
Netapp	Steelstore Cloud Integrated Storage	-
Netapp	Hci Compute Node Firmware	-
Netapp	Hci Compute Node	-
Netapp	H410C Firmware	-
Netapp	H410C	-
Netapp	H300S Firmware	-
Netapp	H300S	-
Netapp	H500S Firmware	-
Netapp	H500S	-
Netapp	H700S Firmware	-
Netapp	H700S	-
Netapp	H300E Firmware	-

Related Weaknesses (CWE)

CWE-330

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing ListThird Party Advisory
http://support.ntp.org/bin/view/Main/NtpBug3596Vendor Advisory
https://bugs.ntp.org/show_bug.cgi?id=3596Issue TrackingVendor Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200625-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.htmlMailing ListThird Party Advisory
http://support.ntp.org/bin/view/Main/NtpBug3596Vendor Advisory
https://bugs.ntp.org/show_bug.cgi?id=3596Issue TrackingVendor Advisory
https://security.gentoo.org/glsa/202007-12Third Party Advisory
https://security.netapp.com/advisory/ntap-20200625-0004/Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-13817?

CVE-2020-13817 is a vulnerability with a CVSS score of 7.4 (HIGH). ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packe...

How severe is CVE-2020-13817?

CVE-2020-13817 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-13817?

Check the references section above for vendor advisories and patch information. Affected products include: Ntp Ntp, Netapp Cloud Backup, Netapp Clustered Data Ontap, Netapp Data Ontap, Netapp Element Software.