NTP BUG 2668: Buffer overflow in ctl_putdata()

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8	18 Dec 2014
References	Bug 2668	CVE-2014-9295
Affects	All NTP4 releases before 4.2.8.	Resolved in 4.2.8.
CVSS2 Score	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

Mitigation

Any of:

Upgrade to 4.2.8 or later.
Put restrict ... noquery in your ntp.conf file, for non-trusted senders.

Credit

This vulnerability was discovered by Stephen Roettger of the Google Security Team.

Timeline

2014 Dec 18: Public release
: Early Access Program Release: Premier and Partner Institutional Members
: Notification to Institutional Members
: Initial notification received; analysis begins