NTP BUG 3505: NTPQ/NTPDC: Buffer Overflow in openhost()

Last update: February 15, 2022 15:25 UTC (b158e7036)


Summary

Resolved 4.2.8p12 14 Aug 2018
References Bug 3505 CVE-2018-12327
Affects All ntp-4 releases up to, but not including 4.2.8p12,
and 4.3.0 up to, but not including 4.3.94.
Resolved in 4.2.8p12 and 4.3.94.
CVSS2 Score LOW 1.7 AV:L/AC:L/Au:S/C:P/I:N/A:N
CVSS3 Score LOW 2.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Description

The openhost() function used by ntpq and ntpdc is vulnerable to a buffer overflow. This means that if one is able to provide ntpq or ntpdc with an excessively large hostname on the command line or a carefully-crafted byte stream, ntpq or ntpdc will suffer from the usual stack overflow problems.


Mitigation

Upgrade to 4.2.8p12 or later.


Credit

Reported by Fakhri Zulkifli.


Timeline