Last update: April 22, 2024 18:49 UTC (7e7bd5857)
| Resolved | 4.2.8p4 | 21 Oct 2015 |
|---|---|---|
| References | Bug 2920 | CVE-2015-7853 |
| Affects | Potentially all ntp-4 releases running up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 that have custom refclocks. |
Resolved in 4.2.8p4. |
| CVSS2 Score | 0.0 usual case, 5.9 unusual worst case | AV:L/AC:H/Au:M/C:C/I:C/A:C |
A negative value for the datalen parameter will overflow a data buffer. NTF’s ntpd driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack.
datalen value is either zero or positive.ntpd instances.This weakness was discovered by Yves Younan of Cisco Talos.