NTP BUG 3610: process_control() should bail earlier on short packets

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved	4.2.8p14	03 Mar 2020
References	Bug 3610
Affects	All versions of ntpd up to, but not including ntp-4.2.8p14 and ntp-4.3.100.	Resolved in ntp-4.2.8p14 and ntp-4.3.100.
CVSS2 Score	0.0	AV:N/AC:L/Au:N/C:N/I:N/A:N
CVSS3 Score	0.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Description

Fuzz testing detected that on systems that override the default and enable ntpdc (mode 7) packets, a short packet will cause ntpd to read uninitialized data.

Mitigation

Leave mode7 disabled.
Pay attention to error messages logged by ntpd.
Monitor your ntpd instances.

Upgrade to 4.2.8p14 or later.

Credit

Reported by Philippe Antoine (Catena cyber with oss-fuzz).

Timeline

2020 Mar 03: Public release
2020 Feb 17: Early Access Program Release: Premier and Partner Institutional Members
2019 Jun 05: Notification to Institutional Members
2019 May 30: Notification from reporter