NTP BUG 2937: nextvar() missing length check in ntpq

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2937	CVE-2015-7975
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6.
CVSS2 Score	1.2	AV:L/AC:H/Au:N/C:N/I:N/A:P If you score A:C, this becomes 4.0.
CVSS3 Score	LOW 2.9	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

ntpq may call nextvar() which executes a memcpy() into the name buffer without a proper length check against its maximum length of 256 bytes. Note well that we’re taking about ntpq here. The usual worst-case effect of this vulnerability is that the specific instance of ntpq will crash and the person or process that did this will have stopped themselves.

Mitigation

Upgrade to 4.2.8p6 or later.](https://downloads.nwtime.org/ntp/4.2.8/)
If you are unable to upgrade:
- If you have scripts that feed input to ntpq make sure there are some sanity checks on the input received from the “outside”.
- This is potentially more dangerous if ntpq is run as root.

Credit

This weakness was discovered by Jonathan Gardner of Cisco ASIG.

Timeline

2016 Jan 19: Public release
2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
2015 Nov 5: Notification to Institutional Members
2016 Oct 16: Initial notification from Cisco