Think you have a false positive on this rule?

Sid 1-47585

Message

SERVER-OTHER ntpq decode array buffer overflow attempt

Summary

This event is generated when an attempt to exploit a buffer overflow in ntpq is detected.

Impact

Attempted User Privilege Gain

CVE-2018-7183:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2018-7183: Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.

Affected systems

  • ntp ntp 4.2.8
  • freebsd freebsd 10.3
  • freebsd freebsd 10.4
  • freebsd freebsd 11.1

Ease of attack

CVE-2018-7183:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • support.ntp.org/bin/view/Main/NtpBug3414