NTP BUG 3412: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak
Last update: June 27, 2022 20:45 UTC (51d68a4aa)
Summary
Description
ctl_getitem()
is used by ntpd to process incoming mode 6 packets. A malicious mode 6 packet can be sent to an ntpd
instance, and if the ntpd
instance is from 4.2.8p6 thru 4.2.8p10, that will cause ctl_getitem()
to read past the end of its buffer.
Mitigation
- Implement BCP-38.
- Upgrade to ntp-4.2.8p11 or later.
- Have enough sources of time.
- Properly monitor your
ntpd
instances.
- If
ntpd
stops running, auto-restart it without -g
.
Credit
This weakness was discovered by Yihan Lian of Qihoo 360.
Timeline