NTP BUG 2899: Incomplete autokey data packet length checks

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p4	21 Oct 2015
References	Bug 2899	CVE-2015-7691 CVE-2015-7692 CVE-2015-7702
Affects	All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77.	Resolved in 4.2.8p4.
CVSS2 Score	4.6	AV:N/AC:H/Au:M/C:N/I:N/A:C

---

Description

Incorrect patch for 2671, in crypto_xmit(). Missing length checks for autokey with GQ identity scheme.

The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash.

---

Mitigation

• Don’t use autokey.
• Upgrade to 4.2.8p4 or later.
• Monitor your ntpd instances.

---

Credit

This weakness was discovered by Tenable Network Security.

---

Timeline

• 2015 Oct 21: Public release
• 2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
• 2015 Aug 20: Initial notification of 2902; analysis begins
• 2015 Aug 11: Initial notification of 2899; analysis begins