NTP BUG 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet

Last update: June 27, 2022 20:45 UTC (51d68a4aa)


Summary

Resolved 4.2.8p13 07 Mar 2019
References Bug 3565 CVE-2019-8936
Affects All ntp-4 releases up to, but not including 4.2.8p13,
and 4.3.0 up to, but not including 4.3.94.
Resolved in 4.2.8p13 and 4.3.94.
CVSS2 Score 4.6 AV:N/AC:H/Au:M/C:N/I:N/A:C
CVSS3 Score 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Description

A crafted malicious authenticated mode 6 (ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing ntpd. Note that for this attack to work, the sending system must be on an address that the target’s ntpd accepts mode 6 packets from, and must use a private key that is specifically listed as being used for mode 6 authorization.


Mitigation


Credit

Reported by Magnus Stubman.


Timeline