NTP BUG 2853: ntpd control message crash: Crafted NUL-byte in configuration directive

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p3	29 Jun 2015
References	Bug 2853	CVE-2015-5146
Affects	4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25.	Resolved in 4.2.8p3.
CVSS2 Score	4.9 at likely worst, 1.4 or less at likely best	AV:A/AC:M/Au:S/C:P/I:P/A:P

Description

Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:

ntpd set up to allow for remote configuration (not allowed by default), and
knowledge of the configuration password, and
access to a computer entrusted to perform remote configuration.

Mitigation

Upgrade to 4.2.8p3 or later.
Be prudent when deciding what IP addresses can perform remote configuration of an ntpd instance.
Monitor your ntpd instances.

Credit

This weakness was discovered by Aleksis Kauppinen of Codenomicon.

Timeline

2015 Jun 29: Public release
2015 Jun 24: Early Access Program Release: Premier and Partner Institutional Members
2015 Jun 22: Notification to Institutional Members
2015 Jun 16: Notification received from FICORA; analysis begins