NTP BUG 2937: nextvar() missing length check in ntpq
Last update: June 28, 2022 20:06 UTC (57417e17c)
Summary
Description
ntpq
may call nextvar()
which executes a memcpy()
into the name buffer without a proper length check against its maximum length of 256 bytes. Note well that we’re taking about ntpq
here. The usual worst-case effect of this vulnerability is that the specific instance of ntpq
will crash and the person or process that did this will have stopped themselves.
Mitigation
- Upgrade to 4.2.8p6 or later.](/downloads/)
- If you are unable to upgrade:
- If you have scripts that feed input to
ntpq
make sure there are some sanity checks on the input received from the “outside”.
- This is potentially more dangerous if
ntpq
is run as root.
Credit
This weakness was discovered by Jonathan Gardner of Cisco ASIG.
Timeline