Network Time Foundation:
---+ NTP Bug 3379 ---+++ NTP-01-004 NTP: Potential Overflows in =ctl_put()= functions (Medium) * Date Resolved: 21 Mar 2017 * References: [[http://bugs.ntp.org/3379][Sec 3379]] / [[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6458][CVE-2017-6458]] / [[http://www.kb.cert.org/vuls/id/325339][VU#325339]] * Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. * CVSS2: MED 4.6 [[https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:M/C:N/I:N/A:C)][(AV:N/AC:H/Au:M/C:N/I:N/A:C)]] * CVSS3: MED 4.2 [[https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H][CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H]] * Summary: =ntpd= makes use of different wrappers around =ctl_putdata()= to create name/value =ntpq= (mode 6) response strings. For example, =ctl_putstr()= is usually used to send string data (variable names or string data). The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in =ntpd= (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer. * Mitigation: * Implement BCP-38. * Upgrade to 4.2.8p10, or later, from the [[http://www.ntp.org/downloads.html][NTP Project Download Page]] or the [[http://support.ntp.org/download][NTP Public Services Project Download Page]] * If you don't want to upgrade, then don't =setvar= variable names longer than 200-512 bytes in your =ntp.conf= file. * Properly monitor your =ntpd= instances, and auto-restart =ntpd= (without =-g=) if it stops running. * Credit: This weakness was discovered by Cure53.
This topic: Main
Topic revision: r1 - 2017-03-22 - 01:41:39 -
Copyright &© 1999-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site?