NTP BUG 2920: Invalid length data provided by a custom refclock driver could cause a buffer overflow
Last update: June 28, 2022 20:06 UTC (57417e17c)
Summary
| Resolved |
4.2.8p4 |
21 Oct 2015 |
| References |
Bug 2920 |
CVE-2015-7853 |
| Affects |
Potentially all ntp-4 releases running up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77 that have custom refclocks. |
Resolved in 4.2.8p4. |
| CVSS2 Score |
0.0 usual case, 5.9 unusual worst case |
AV:L/AC:H/Au:M/C:C/I:C/A:C |
Description
A negative value for the datalen parameter will overflow a data buffer. NTF’s ntpd driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack.
Mitigation
- Upgrade to 4.2.8p4 or later.
- If you are unable to upgrade:
- If you are running custom refclock drivers, make sure the signed
datalen value is either zero or positive.
- Monitor your
ntpd instances.
Credit
This weakness was discovered by Yves Younan of Cisco Talos.
Timeline