NTP BUG 3377: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd

Last update: June 27, 2022 20:45 UTC (51d68a4aa)


Summary

Resolved 4.2.8p10 21 Mar 2017
References Bug 3377 CVE-2017-6460
Affects All versions of ntpq, up to but not including
ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
Resolved in 4.2.8p10.
CVSS2 Score MED 4.9 AV:N/AC:H/Au:S/C:N/I:N/A:C
CVSS3 Score MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

A stack buffer overflow in ntpq can be triggered by a malicious ntpd server when ntpq requests the restriction list from the server. This is due to a missing length check in the reslist() function. It occurs whenever the function parses the server’s response and encounters a flagstr variable of an excessive length. The string will be copied into a fixed-size buffer, leading to an overflow on the function’s stack-frame.

Note well that this problem requires a malicious server, and affects ntpq, not ntpd.


Mitigation


Credit

This weakness was discovered by Cure53.


Timeline