NTP BUG 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p13	07 Mar 2019
References	Bug 3565	CVE-2019-8936
Affects	All ntp-4 releases up to, but not including 4.2.8p13, and 4.3.0 up to, but not including 4.3.94.	Resolved in 4.2.8p13 and 4.3.94.
CVSS2 Score	4.6	AV:N/AC:H/Au:M/C:N/I:N/A:C
CVSS3 Score	4.2	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

A crafted malicious authenticated mode 6 (ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing ntpd. Note that for this attack to work, the sending system must be on an address that the target’s ntpd accepts mode 6 packets from, and must use a private key that is specifically listed as being used for mode 6 authorization.

Mitigation

Use restrict noquery to limit addresses that can send mode 6 queries.
Limit access to the private controlkey in ntp.keys.
Upgrade to 4.2.8p13 or later.

Credit

Reported by Magnus Stubman.

Timeline

2019 Mar 07: Public release
2019 Feb 19: Early Access Program Release: Premier and Partner Institutional Members
2019 Jan 17: Notification to Institutional Members
2019 Jan 15: Notification from reporter