NTP BUG 2922: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values

Last update: June 28, 2022 20:06 UTC (57417e17c)

Summary

Resolved	4.2.8p4	21 Oct 2015
References	Bug 2922	CVE-2015-7855
Affects	All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77.	Resolved in 4.2.8p4.
CVSS2 Score	4.6	AV:N/AC:H/Au:M/C:N/I:N/A:C Base Score: 4.6, worst case

Description

If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.

Mitigation

Implement BCP-38..
Upgrade to 4.2.8p4 or later.
If you are unable to upgrade:
- mode 7 is disabled by default. Don’t enable it.
- Use restrict noquery to limit who can send mode 6 and mode 7 requests.
- Configure and use the controlkey and requestkey authentication directives to limit who can send mode 6 and mode 7 requests.
Monitor your ntpd instances.

Credit

This weakness was discovered by John D “Doug” Birdwell with the Institute for Defense Analyses (IDA.org).

Timeline

2015 Oct 21: Public release
2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
2015 Aug 20: Initial notification of 2902; analysis begins
2015 Aug 11: Initial notification of 2899; analysis begins