NTP BUG 2937: nextvar() missing length check in ntpq

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p6 19 Jan 2016
References Bug 2937 CVE-2015-7975
Affects All ntp-4 releases up to, but not including 4.2.8p6,
and 4.3.0 up to, but not including 4.3.90.
Resolved in 4.2.8p6.
CVSS2 Score 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P
If you score A:C, this becomes 4.0.
CVSS3 Score LOW 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

ntpq may call nextvar() which executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes. Note well that we’re taking about ntpq here. The usual worst-case effect of this vulnerability is that the specific instance of ntpq will crash and the person or process that did this will have stopped themselves.


Mitigation


Credit

This weakness was discovered by Jonathan Gardner of Cisco ASIG.


Timeline