NTP BUG 2920: Invalid length data provided by a custom refclock driver could cause a buffer overflow

Last update: March 2, 2022 17:28 UTC (616623bea)


Summary

Resolved 4.2.8p4 21 Oct 2015
References Bug 2920 CVE-2015-7853
Affects Potentially all ntp-4 releases running up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77 that have custom refclocks.
Resolved in 4.2.8p4.
CVSS2 Score 0.0 usual case, 5.9 unusual worst case AV:L/AC:H/Au:M/C:C/I:C/A:C

Description

A negative value for the datalen parameter will overflow a data buffer. NTF’s ntpd driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack.


Mitigation


Credit

This weakness was discovered by Yves Younan of Cisco Talos.


Timeline