NTP BUG 2919: ntpq atoascii() potential memory corruption

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p4	21 Oct 2015
References	Bug 2919	CVE-2015-7852
Affects	All ntp-4 releases running up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77.	Resolved in 4.2.8p4
CVSS2 Score	4.0, worst case	AV:N/AC:H/Au:N/C:N/I:P/A:P

Description

If an attacker can figure out the precise moment that ntpq is listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd that victims will connect to then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq, can cause ntpq to crash.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p4 or later.
If you are unable to upgrade and you run ntpq against a server and ntpq crashes, try again using raw mode. Build or get a patched ntpq and see if that fixes the problem. Report new bugs in ntpq or abusive servers appropriately.
If you use ntpq in scripts, make sure ntpq does what you expect in your scripts.

Credit

This weakness was discovered by Yves Younan and Aleksander Nikolich of Cisco Talos.

Timeline

2015 Oct 21: Public release
2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
2015 Aug 20: Initial notification of 2902; analysis begins
2015 Aug 11: Initial notification of 2899; analysis begins