NTP BUG 3807: praecis_parse() in ntpd/refclock_palisade.c can write out-of-bounds
Last update: June 1, 2023 11:28 UTC (d2a7faef2)
The Praecis reference clock gets time information from 3G CDMA cellphone towers, and relays it to
ntpd over a serial port. Support for the Praecis refclock was added in November of 2002, before “defensive programming” was the norm. While once a useful means to transmit time, because CDMA signals have better building penetration than GPS, the use of CDMA networks are rapidly dwindling. At one time, there were 59 3G CDMA networks deployed around the world. As of now 49 have already shut down, and 5 of the remaining 10 are scheduled to shut down between now and 2025. The vulnerability described here relies on an attacker gaining physical access to the Praecis unit and, for example, uploading maliciously altered firmware that will send a response line of more than 100 bytes to an unpatched
ntpd that is configured to get time from that serial connection using the Praecis driver, thus causing an overflow of an internal buffer.
- If you are using a Praecis refclock and are worried about this vulnerability, upgrade to 4.2.8p16, or later, from the NTP Project download site. A patch to ntp-4.2.8p15 is available.
Reported by Ping Lee (spwpun).
We apologize for the delay in issuing this report. We decided to take the time we needed to produce a thorough and comprehensive response in the face of the significant amount of materially incorrect information in the initial report and third party analysis of this issue.