NTP BUG 2948: Potential Infinite Loop in ntpq

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

---

Summary

Resolved	4.2.8p6	19 Jan 2016
References	Bug 2948	CVE-2015-8158
Affects	All ntp-4 releases up to, but not including 4.2.8p6, and 4.3.0 up to, but not including 4.3.90.	Resolved in 4.2.8p6
CVSS2 Score	MED 4.3	AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3 Score	MED 5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

---

Description

ntpq processes incoming packets in a loop in getresponse(). The loop’s only stopping conditions are receiving a complete and correct response or hitting a small number of error conditions. If the packet contains incorrect values that don’t trigger one of the error conditions, the loop continues to receive new packets.

Note well, this is an attack against an instance of ntpq, not ntpd, and this attack requires the attacker to do one of the following:

• Own a malicious NTP server that the client trusts.
• Prevent a legitimate NTP server from sending packets to the ntpq client.
• MITM the ntpq communications between the ntpq client and the NTP server.

---

Mitigation

• Upgrade to 4.2.8p6 or later.

---

Credit

This weakness was discovered by Jonathan Gardner of Cisco ASIG.

---

Timeline

• 2016 Jan 19: Public release
• 2016 Jan 17: Early Access Program Release: Premier and Partner Institutional Members
• 2015 Nov 5: Notification to Institutional Members
• 2016 Oct 16: Initial notification from Cisco