{ "document": { "aggregate_severity": { "text": "High" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu18.04els/vex/2020/cve-2020-13817-els_os-ubuntu18_04els.json" } ], "tracking": { "current_release_date": "2026-04-30T20:24:41Z", "generator": { "date": "2026-04-30T20:24:41Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2020-13817-ELS_OS-UBUNTU18.04ELS", "initial_release_date": "2020-06-04T13:15:00Z", "revision_history": [ { "date": "2020-06-04T13:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-24T11:14:07Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-30T20:24:41Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2020-13817" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 18.04", "product": { "name": "Ubuntu 18.04", "product_id": "Ubuntu-18", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product": { "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_id": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/ntpdate@4.2.8p10%2Bdfsg-5ubuntu7.3?arch=amd64" } } }, { "category": "product_version", "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product": { "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_id": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/sntp@4.2.8p10%2Bdfsg-5ubuntu7.3?arch=amd64" } } }, { "category": "product_version", "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product": { "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_id": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/ntp@4.2.8p10%2Bdfsg-5ubuntu7.3?arch=amd64" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "product": { "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "product_id": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "product_identification_helper": { "purl": "pkg:deb/ubuntu/ntp-doc@4.2.8p10%2Bdfsg-5ubuntu7.3?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product": { "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_id": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ntpdate@4.2.8p10%2Bdfsg-5ubuntu7.3%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product": { "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_id": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/sntp@4.2.8p10%2Bdfsg-5ubuntu7.3%2Btuxcare.els1?arch=amd64" } } }, { "category": "product_version", "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product": { "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_id": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ntp@4.2.8p10%2Bdfsg-5ubuntu7.3%2Btuxcare.els1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "product": { "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "product_id": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ntp-doc@4.2.8p10%2Bdfsg-5ubuntu7.3%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64" }, "product_reference": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all" }, "product_reference": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64" }, "product_reference": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64" }, "product_reference": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" }, "product_reference": "ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all" }, "product_reference": "ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" }, "product_reference": "sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64 as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" }, "product_reference": "ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "relates_to_product_reference": "Ubuntu-18" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-13817", "cwe": { "id": "CWE-330", "name": "Use of Insufficiently Random Values" }, "notes": [ { "category": "description", "text": "ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-13817" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html" }, { "category": "external", "summary": "http://support.ntp.org/bin/view/Main/NtpBug3596", "url": "http://support.ntp.org/bin/view/Main/NtpBug3596" }, { "category": "external", "summary": "https://bugs.ntp.org/show_bug.cgi?id=3596", "url": "https://bugs.ntp.org/show_bug.cgi?id=3596" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202007-12", "url": "https://security.gentoo.org/glsa/202007-12" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200625-0004/", "url": "https://security.netapp.com/advisory/ntap-20200625-0004/" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "release_date": "2020-06-04T13:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Exploitation requires an off-path attacker capable of issuing NTP queries to the target ntpd while the target peers with unauthenticated IPv4 time sources, and additionally requires the attacker to predict the daemon's transmit timestamps within a narrow window before the legitimate server response arrives. The attack is rated High attack complexity (CVSS AC:H) on these grounds. Symmetric-key or autokey-authenticated time peers are not reachable by this attack as the response timestamp validity is gated on the cryptographic MAC rather than transmit-timestamp prediction.", "product_ids": [ "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.all", "Ubuntu-18:ntp-doc-1:4.2.8p10+dfsg-5ubuntu7.3.all", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:ntpdate-1:4.2.8p10+dfsg-5ubuntu7.3.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3+tuxcare.els1.amd64", "Ubuntu-18:sntp-1:4.2.8p10+dfsg-5ubuntu7.3.amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }