Описание
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
Меры по смягчению последствий
On Red Hat Enterprise Linux 6 and later, switching from ntp to chrony is recommended. Among other design improvements, chrony uses a randomised source port by default. If using ntp, the source port can be randomised by iptables masquerading rules, effectively mitigating this vulnerability: iptables -t nat -I POSTROUTING -p udp -m udp --sport 123 -j MASQUERADE --to-ports 60000-61000
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | ntp | Will not fix | ||
| Red Hat Enterprise Linux 6 | ntp | Will not fix | ||
| Red Hat Enterprise Linux 7 | ntp | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.
Уязвимость протокола сетевого времени NTP, связанная с недостаточной защитой служебных данных, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
8.1 High
CVSS3