NTP BUG 2939: reslist NULL pointer dereference

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2939	CVE-2015-7977
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6.
CVSS2 Score	4.3	AV:N/AC:M/Au:N/C:N/I:N/A:P

---

Description

An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by causing a NULL pointer dereference.

---

Mitigation

• Implement BCP-38.

• Upgrade to 4.2.8p6 or later.](https://downloads.nwtime.org/ntp/4.2.8/)

• If you are unable to upgrade:

  • In ntp-4.2.8, mode 7 is disabled by default. Don’t enable it.
  • If you must enable mode 7:
    • configure the use of a requestkey to control who can issue mode 7 requests.
    • configure restrict noquery to further limit mode 7 requests to trusted sources.

• Monitor your ntpd instances.

---

Credit

This weakness was discovered by Stephen Gray of Cisco ASIG.

---

Timeline

• 2016 Jan 19: Public release
• 2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Nov 5: Notification to Institutional Members
• 2016 Oct 16: Initial notification from Cisco