NTP BUG 2948: Potential Infinite Loop in ntpq
Last update: June 28, 2022 20:06 UTC (57417e17c)
ntpq processes incoming packets in a loop in
getresponse(). The loop’s only stopping conditions are receiving a complete and correct response or hitting a small number of error conditions. If the packet contains incorrect values that don’t trigger one of the error conditions, the loop continues to receive new packets.
Note well, this is an attack against an instance of
ntpd, and this attack requires the attacker to do one of the following:
- Own a malicious NTP server that the client trusts.
- Prevent a legitimate NTP server from sending packets to the
- MITM the
ntpq communications between the
ntpq client and the NTP server.
This weakness was discovered by Jonathan Gardner of Cisco ASIG.