SERVER-OTHER Multiple Vendors NTP zero-origin timestamp denial of service attempt
This event is generated when 5 or more NTP packet contains a zero-origin timestamp are sent within one second
Attempted Denial of Service
CVE-2018-7184:
CVSS base score
CVSS impact score
CVSS exploitability score
Confidentiality Impact
Integrity Impact
Availability Impact
CVE-2018-7185:
CVSS base score
CVSS impact score
CVSS exploitability score
Confidentiality Impact
Integrity Impact
Availability Impact
If an NTP packet containing a zero-origin timetamp is sent in some volume, then it could trigger a DoS condition with vulnerable versions of NTP package CVE-2018-7184: ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.
CVE-2018-7185: The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association.
Simple
Zero-origin timestamp is not against specification, however not common
Update to 4.2.8p11 or beyond
©2019 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
Privacy Policy | Snort License | FAQ | Sitemap
