NTP BUG 3767: An out-of-bounds KoD RATE ppoll value triggers an assertion abort in debug-enabled ntpd
Last update: June 1, 2023 11:28 UTC (d2a7faef2)
By default, the NTP software builds with debugging enabled. We expect most folks who build from source to be using NTP for development purposes, where it makes sense to enable debugging. Similarly, we expect production release engineers to build production releases with debugging disabled. An attacker who has control over an
ntpd instance the victim queries, or who is “lucky enough” to guess the packet transmit timestamp of an unauthenticated client request and inject their response before the real server responds, can send a response with a KoD (kiss-of-death) RATE packet with an out-of-bounds value that will cause a debug-enabled victim’s
ntpd to abort with an assertion failure.
configure --disable-debugging ... when building the NTP software for production deployments.
- Upgrade to 4.2.8p16, or later, from the NTP Project download site.
Reported by Miroslav Lichvar.