CVE-2020-11868
📋 TL;DR
This vulnerability in ntpd allows an off-path attacker to spoof NTP server responses and block time synchronization for unauthenticated clients. It affects systems running vulnerable versions of ntp before 4.2.8p14 or 4.3.x before 4.3.100. The attack requires network access but no authentication.
💻 Affected Systems
- ntp
- ntpd
📦 What is this software?
All Flash Fabric Attached Storage 8300 Firmware by Netapp
View all CVEs affecting All Flash Fabric Attached Storage 8300 Firmware →
All Flash Fabric Attached Storage 8700 Firmware by Netapp
View all CVEs affecting All Flash Fabric Attached Storage 8700 Firmware →
All Flash Fabric Attached Storage A400 Firmware by Netapp
View all CVEs affecting All Flash Fabric Attached Storage A400 Firmware →
Fabric Attached Storage 8300 Firmware by Netapp
View all CVEs affecting Fabric Attached Storage 8300 Firmware →
Fabric Attached Storage 8700 Firmware by Netapp
View all CVEs affecting Fabric Attached Storage 8700 Firmware →
Fabric Attached Storage A400 Firmware by Netapp
View all CVEs affecting Fabric Attached Storage A400 Firmware →
Leap by Opensuse
Leap by Opensuse
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Ntp by Ntp
Solidfire by Netapp
Vasa Provider For Clustered Data Ontap by Netapp
View all CVEs affecting Vasa Provider For Clustered Data Ontap →
⚠️ Risk & Real-World Impact
Worst Case
Time synchronization completely disrupted across an organization, causing authentication failures, log corruption, and service disruptions due to time drift.
Likely Case
Targeted disruption of time synchronization for specific systems, potentially causing authentication issues and log inconsistencies.
If Mitigated
Minimal impact if NTP authentication is enabled or systems are patched; time synchronization continues normally.
🎯 Exploit Status
Exploit requires off-path position and ability to spoof NTP server responses. Proof of concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ntp 4.2.8p14, ntp 4.3.100
Vendor Advisory: http://support.ntp.org/bin/view/Main/NtpBug3592
Restart Required: Yes
Instructions:
1. Check current ntp version. 2. Update using package manager: 'apt-get update && apt-get upgrade ntp' (Debian/Ubuntu) or 'yum update ntp' (RHEL/CentOS). 3. Restart ntpd service: 'systemctl restart ntpd' or 'service ntp restart'.
🔧 Temporary Workarounds
Enable NTP authentication
linuxConfigure NTP authentication using autokey or symmetric keys to prevent spoofed responses
# Edit /etc/ntp.conf
# Add: server ntp.server.com key 10
# Add: keys /etc/ntp.keys
# Generate keys: ntp-keygen
# Restart: systemctl restart ntpd
Restrict NTP sources
linuxConfigure firewall rules to only allow NTP from trusted sources
# iptables -A INPUT -p udp --dport 123 -s trusted.ntp.server -j ACCEPT
# iptables -A INPUT -p udp --dport 123 -j DROP
🧯 If You Can't Patch
- Enable NTP authentication to prevent spoofed responses
- Implement network segmentation and firewall rules to restrict NTP traffic to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check ntp version: 'ntpd --version' or 'dpkg -l | grep ntp' or 'rpm -qa | grep ntp'. If version is before 4.2.8p14 or 4.3.100, system is vulnerable.Check Version:
ntpd --version 2>&1 | head -1Verify Fix Applied:
Verify updated version: 'ntpd --version' should show 4.2.8p14 or 4.3.100+. Check NTP synchronization: 'ntpq -p' should show proper time sources.📡 Detection & Monitoring
Log Indicators:
- NTP log entries showing synchronization failures
- Unexpected NTP server responses in logs
- Time drift alerts in system logs
Network Indicators:
- Spoofed NTP packets with invalid timestamps
- Unusual NTP traffic patterns from unexpected sources
SIEM Query:
source="ntp.log" AND ("synchronization lost" OR "invalid timestamp" OR "server unreachable")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
- http://support.ntp.org/bin/view/Main/NtpBug3592
- https://bugzilla.redhat.com/show_bug.cgi?id=1716665
- https://lists.debian.org/debian-lts-announce/2020/05/msg00004.html
- https://security.gentoo.org/glsa/202007-12
- https://security.netapp.com/advisory/ntap-20200424-0002/
- https://www.oracle.com//security-alerts/cpujul2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html
- http://support.ntp.org/bin/view/Main/NtpBug3592
- https://bugzilla.redhat.com/show_bug.cgi?id=1716665
- https://lists.debian.org/debian-lts-announce/2020/05/msg00004.html
- https://security.gentoo.org/glsa/202007-12
- https://security.netapp.com/advisory/ntap-20200424-0002/
- https://www.oracle.com//security-alerts/cpujul2021.html
