NTP BUG 3414: ntpq: decodearr() can write beyond its buf limits
Last update: June 27, 2022 20:45 UTC (51d68a4aa)
ntpq is a monitoring and control program for
decodearr() is an internal function of
ntpq that is used to – wait for it – decode an array in a response string when formatted data is being displayed. This is a problem in affected versions of
ntpq if a maliciously-altered
ntpd returns an array result that will trip this bug, or if a bad actor is able to read an
ntpq request on its way to a remote
ntpd server and forge and send a response before the remote
ntpd sends its response. It’s potentially possible that the malicious data could become injectable/executable code.
This weakness was discovered by Michael Macnair of Thales e-Security.