NTP BUG 3009: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p7 26 Apr 2016
References Bug 3009 CVE-2016-2518
Affects All ntp-4 releases up to, but not including 4.2.8p7,
and 4.3.0 up to, but not including 4.3.92.
Resolved in 4.2.8p7.
CVSS2 Score LOW 2.1 AV:N/AC:H/Au:S/C:N/I:N/A:P
CVSS3 Score LOW 2.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

Description

Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.


Mitigation


Credit

This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.


Timeline