NTP BUG 2853: ntpd control message crash: Crafted NUL-byte in configuration directive

Last update: June 28, 2022 20:06 UTC (57417e17c)


Resolved 4.2.8p3 29 Jun 2015
References Bug 2853 CVE-2015-5146
Affects 4.2.5p3 up to, but not including 4.2.8p3-RC1,
and 4.3.0 up to, but not including 4.3.25.
Resolved in 4.2.8p3.
CVSS2 Score 4.9 at likely worst, 1.4 or less at likely best AV:A/AC:M/Au:S/C:P/I:P/A:P


Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true:

  1. ntpd set up to allow for remote configuration (not allowed by default), and
  2. knowledge of the configuration password, and
  3. access to a computer entrusted to perform remote configuration.



This weakness was discovered by Aleksis Kauppinen of Codenomicon.