NTP BUG 2938: ntpq saveconfig command allows dangerous characters in filenames
Last update: April 22, 2024 18:49 UTC (7e7bd5857)
Summary
Description
The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Note well: The ability to use the saveconfig command is controlled by the restrict nomodify directive, and the recommended default configuration is to disable this capability. If the ability to execute a saveconfig is required, it can easily (and should) be limited and restricted to a known small number of IP addresses.
Mitigation
- Implement BCP-38.
- Use
restrict default nomodify in your ntp.conf file.
- Upgrade to 4.2.8p6 or later.](https://downloads.nwtime.org/ntp/4.2.8/)
- If you are unable to upgrade:
- build NTP with
configure --disable-saveconfig if you will never need this capability, or
- use
restrict default nomodify in your ntp.conf file. Be careful about what IPs have the ability to send modify requests to ntpd.
- Monitor your
ntpd instances.
saveconfig requests are logged to syslog - monitor your syslog files.
Credit
This weakness was discovered by Jonathan Gardner of Cisco ASIG.
Timeline