NTP BUG 2667: Buffer overflow in crypto_recv()

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8	18 Dec 2014
References	Bug 2667	CVE-2014-9295
Affects	All releases before 4.2.8.	Resolved in 4.2.8.
CVSS2 Score	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

When Autokey Authentication is enabled (i.e. the ntp.conf file contains a crypto pw ... directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

Mitigation

Any of:

Upgrade to 4.2.8 or later.
Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
Put restrict ... noquery in your ntp.conf file, for non-trusted senders.

Credit

This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Timeline

2014 Dec 18: Public release
: Early Access Program Release: Premier and Partner Institutional Members
: Notification to Institutional Members
: Initial notification received; analysis begins