NTP BUG 3767: An out-of-bounds KoD RATE ppoll value triggers an assertion abort in debug-enabled ntpd

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p16	30 May 2023
References	Bug 3767
Affects	ntp-4.2.8p14 up to, but not including ntp-4.2.8p16.	Resolved in 4.2.8p16.
CVSS3.1 Score	2.2 Low	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Description

By default, the NTP software builds with debugging enabled. We expect most folks who build from source to be using NTP for development purposes, where it makes sense to enable debugging. Similarly, we expect production release engineers to build production releases with debugging disabled. An attacker who has control over an ntpd instance the victim queries, or who is “lucky enough” to guess the packet transmit timestamp of an unauthenticated client request and inject their response before the real server responds, can send a response with a KoD (kiss-of-death) RATE packet with an out-of-bounds value that will cause a debug-enabled victim’s ntpd to abort with an assertion failure.

Mitigation

Use configure --disable-debugging ... when building the NTP software for production deployments.
Upgrade to 4.2.8p16, or later, from the NTP Project download site.

Credit

Reported by Miroslav Lichvar.

Timeline

2023 May 30: Public release
2023 May 10: Early Access Program Release: Premier and Partner Institutional Members
2023 Mar 20: Got found. Processes under review so this doesn’t happen again
2022 Jun 30: Notification from reporter. Got lost.