NTP BUG 3384: Privileged execution of User Library code (WINDOWS PPSAPI ONLY)

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p10	21 Mar 2017
References	Bug 3384	CVE-2017-6455
Affects	All Windows versions of ntp-4 that use the PPSAPI, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.	Resolved in 4.2.8p10.
CVSS2 Score	MED 3.8	AV:L/AC:H/Au:S/C:N/I:N/A:C
CVSS3 Score	MED 4.0	CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

The Windows NT port has the added capability to preload DLLs defined in the inherited global local environment variable PPSAPI_DLLS. The code contained within those libraries is then called from the NTPD service, usually running with elevated privileges. Depending on how securely the machine is setup and configured, if ntpd is configured to use the PPSAPI under Windows this can easily lead to a code injection.

Mitigation

Implement BCP-38.
Upgrade to 4.2.8p10 or later.

Credit

This weakness was discovered by Cure53.

Timeline

2017 Mar 21: Public release
2017 Mar 06: Early Access Program Release: Premier and Partner Institutional Members
2017 Mar 06: Notification to Institutional Members
2017 Feb 09: Mozilla/Cure53 audit received