Synology-SA-18:13 NTP

Publish Time: 2018-03-27 15:57:38 UTC+8

Last Updated: 2018-04-10 16:29:05 UTC+8

Severity
Moderate
Status
Resolved

Abstract

These vulnerabilities allow remote attackers to conduct association attacks via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), Virtual DSM, SkyNAS or VS960HD.

Affected Products

Product Severity Fixed Release Availability
DSM 6.1 Moderate Upgrade to 6.1.6-15266 or above.
DSM 6.0 Moderate Upgrade to 6.1.6-15266 or above.
DSM 5.2 Moderate Upgrade to 6.1.6-15266 or above.
SRM 1.1 Moderate Upgrade to 1.1.6-6931-3 or above.
Virtual DSM Moderate Upgrade to 6.1.6-15266 or above.
SkyNAS Moderate Upgrade to 6.1.5-15254 or above.
VS960HD Moderate Upgrade to 2.2.3-1505 or above.

Mitigation

None

Detail

  • CVE-2018-7185

    • Severity: Low
    • CVSS3 Base Score: 3.1
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
    • The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.
  • CVE-2018-7184

    • Severity: Low
    • CVSS3 Base Score: 3.1
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
    • ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.
  • CVE-2018-7170

    • Severity: Low
    • CVSS3 Base Score: 3.1
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
    • ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
  • CVE-2018-7183

    • Severity: Moderate
    • CVSS3 Base Score: 5.0
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
    • Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.
  • CVE-2018-7182

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10.
  • CVE-2016-1549

    • Severity: Moderate
    • CVSS3 Base Score: 5.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
    • A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.

Reference

Revision

Revision Date Description
1 2018-03-27 Initial public release.
2 2018-03-29 Update for SkyNAS is now available in Affected Products.
3 2018-04-10 Update for VS960HD is now available in Affected Products.