NTP BUG 3806: libntp/mstolfp() needs bounds checking

Last update: April 22, 2024 18:49 UTC (7e7bd5857)

Summary

Resolved	4.2.8p16	30 May 2023
References	Bug 3806	CVE-2023-26551 CVE-2023-26552 CVE-2023-26553 CVE-2023-26554
Affects	ntp-3 (and likely earlier) up to, but not including ntp-4.2.8p16.	Resolved in ntp-4.2.8p16.
CVSS3.1 Score between	2.0 Low	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L (likely)
and:	3.9 Low	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L (improbable)

Description

This vulnerability only affects ntpq and does NOT affect ntpd. This vulnerability could have been reported via a single CVE. ntpq makes requests of a target ntpd from a short-lived random high port and displays the results to the user. An attacker can send a crafted response if they either control the queried ntpd or become a “man-in-the-middle” (MITM) on the network path. This crafted response causes a buffer overflow in the victim’s ntpq client if it consists of a long ASCII character string that matches the pattern: [+-]DIGIT*[.]DIGIT*.

Mitigation

Use ntpq -c raw ... .
Apply the patch to 4.2.8p15 (or earlier, perhaps with some modifications), and build and install ntpq.
Upgrade to 4.2.8p16, or later, from the NTP Project download site.

Credit

Reported by Ping Lee (spwpun).

Timeline

2023 May 30: Public release
2023 May 12: Public hotfix release
2023 May 10: Hotfix release to Advance Security Partners: Premier and Partner Institutional Members
2023 Apr 14: Public notification