We are using a Qualys scan to show vulnerabilities with our infrastructure and have noticed that our ESXi 6.5 servers are showing as having a NTP vulnerability.
I know the resolution is the same as it has for previous versions where we add the noquery keyword to the NTP.conf file however there is no documentation from VMware with regards to this. The only thing I can find is the following which only applies up to 6.0.x VMware Knowledge Base
Looking further into this I can see in the release notes for ESXi 6.5 Update1 the NTP package is updated to version 4.2.8p10. Looking at the vulnerabilities for that version of NTP I can see CVE-2018-7183 which states Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. I would assume that the noquery as stated in the VMWare KB is still required but can this be confirmed by anyone?
Confirmation from VMWare Support after raising a support request
Hello Team,
Apologies for the delayed response. I am assuming the ownership of this support request **********.
I have checked and confirmed that noquery fix as stated in the VMWare
KB is required on 6.5 U1.
Confirmation from VMWare Support after raising a support request
Hello Team,
Apologies for the delayed response. I am assuming the ownership of this support request **********.
I have checked and confirmed that noquery fix as stated in the VMWare
KB is required on 6.5 U1.