NTP BUG 3412: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak

Last update: February 15, 2022 15:25 UTC (b158e7036)


Summary

Resolved 4.2.8p11 27 Feb 2018
References Bug 3412 CVE-2018-7182
Affects ntp-4.2.8p6, up to but not including ntp-4.2.8p11. Resolved in 4.2.8p11.
CVSS2 Score INFO 0.0 - MED 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N 0.0 if C:N
CVSS3 Score NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.0 if C:N

Description

ctl_getitem() is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem() to read past the end of its buffer.


Mitigation


Credit

This weakness was discovered by Yihan Lian of Qihoo 360.


Timeline