NTP BUG 3412: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak

Last update: June 27, 2022 20:45 UTC (51d68a4aa)

Summary

Resolved	4.2.8p11	27 Feb 2018
References	Bug 3412	CVE-2018-7182
Affects	ntp-4.2.8p6, up to but not including ntp-4.2.8p11.	Resolved in 4.2.8p11.
CVSS2 Score	INFO 0.0 - MED 5.0	AV:N/AC:L/Au:N/C:P/I:N/A:N 0.0 if C:N
CVSS3 Score	NONE 0.0 - MED 5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 0.0 if C:N

Description

ctl_getitem() is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd instance, and if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem() to read past the end of its buffer.

Mitigation

Implement BCP-38.
Upgrade to ntp-4.2.8p11 or later.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g.

Credit

This weakness was discovered by Yihan Lian of Qihoo 360.

Timeline

2018 Feb 27: Public release
2018 Feb 12: Early Access Program Release: Premier and Partner Institutional Members
2018 Jan 23: Notification to Institutional Members
: Notification from reporter