NTP BUG 3009: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC

Last update: June 28, 2022 20:06 UTC (57417e17c)

---

Summary

Resolved	4.2.8p7	26 Apr 2016
References	Bug 3009	CVE-2016-2518
Affects	All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92.	Resolved in 4.2.8p7.
CVSS2 Score	LOW 2.1	AV:N/AC:H/Au:S/C:N/I:N/A:P
CVSS3 Score	LOW 2.0	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L

---

Description

Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.

---

Mitigation

• Implement BCP-38.
• Upgrade to 4.2.8p7 or later.
• Properly monitor your ntpd instances.

---

Credit

This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.

---

Timeline

• 2016 Apr 26: Public release
• 2016 Apr 12: Early Access Program Release: Premier and Partner Institutional Members
• 2016 Feb 14: Notification to Institutional Members
• 2016 Jan 12: Initial notification from Cisco