NTP BUG 3011: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd

Last update: February 15, 2022 20:59 UTC (43fbd379b)


Summary

Resolved 4.2.8p7/ 26 Apr 2016
References Bug 3011 CVE-2016-2516
Affects All ntp-4 releases up to, but not including 4.2.8p7,
and 4.3.0 up to, but not including 4.3.92.
Resolved in 4.2.8p7.
CVSS2 Score MED 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C
CVSS3 Score MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort.


Mitigation


Credit

This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.


Timeline