NTP BUG 3767: An out-of-bounds KoD RATE ppoll value triggers an assertion abort in debug-enabled ntpd

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Summary

Resolved 4.2.8p16 30 May 2023
References Bug 3767
Affects ntp-4.2.8p14 up to, but not including ntp-4.2.8p16. Resolved in 4.2.8p16.
CVSS3.1 Score 2.2 Low CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Description

By default, the NTP software builds with debugging enabled. We expect most folks who build from source to be using NTP for development purposes, where it makes sense to enable debugging. Similarly, we expect production release engineers to build production releases with debugging disabled. An attacker who has control over an ntpd instance the victim queries, or who is “lucky enough” to guess the packet transmit timestamp of an unauthenticated client request and inject their response before the real server responds, can send a response with a KoD (kiss-of-death) RATE packet with an out-of-bounds value that will cause a debug-enabled victim’s ntpd to abort with an assertion failure.


Mitigation


Credit

Reported by Miroslav Lichvar.


Timeline