Lucene search

K
ibmIBMB1D2840F9FDC959A0DA3F1F2AB7051C8B49645F0749D8F8A4902685F7EE6ABEA
HistorySep 22, 2021 - 11:38 p.m.

Security Bulletin: Vulnerability in ntp (CVE-2020-11868 and CVE-2020-13817).

2021-09-2223:38:15
www.ibm.com
9

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.023 Low

EPSS

Percentile

88.2%

Summary

NTP (Network Time Protocol) used to synchronize the time on your Power Hardware Management Console (HMC) with a centralized NTP server. HMC has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2020-11868
**DESCRIPTION:**NTP is vulnerable to a denial of service, caused by a flaw in ntpd. By sending a server mode packet with a spoofed source IP address, a remote attacker could exploit this vulnerability to block unauthenticated synchronization resulting in a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-13817
**DESCRIPTION:**NTP is vulnerable to a denial of service, caused by an issue when relying on unauthenticated IPv4 time sources in ntpd. By predicting transmit timestamps for use in spoofed packets, a remote attacker could exploit this vulnerability to cause the daemon to crash or system time change.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183494 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
HMC V9.1.910.0 V9.1.910.0 and later

Remediation/Fixes

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/&gt;

Product

|

VRMF

|

APAR

|

Remediation/Fix

—|—|—|—

Power HMC

|

V9.1.940.0 SP1 ppc

|

MB04257

|

MH01865

Power HMC

|

V9.1.940.0 SP1 x86_64

|

MB04256

|

MH01864

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.023 Low

EPSS

Percentile

88.2%

Related for B1D2840F9FDC959A0DA3F1F2AB7051C8B49645F0749D8F8A4902685F7EE6ABEA