NTP BUG 3807: praecis_parse() in ntpd/refclock_palisade.c can write out-of-bounds

Last update: April 22, 2024 18:49 UTC (7e7bd5857)


Resolved 4.2.8p16 30 May 2023
References Bug 3807 CVE-2023-26555
Affects ntp-4.1.2 up to, but not including ntp-4.2.8p16. Resolved in 4.2.8p16.
CVSS3.1 Score
1.6 Low CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L (likely)
and: 3.6 Low CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L (potentially)


The Praecis reference clock gets time information from 3G CDMA cellphone towers, and relays it to ntpd over a serial port. Support for the Praecis refclock was added in November of 2002, before “defensive programming” was the norm. While once a useful means to transmit time, because CDMA signals have better building penetration than GPS, the use of CDMA networks are rapidly dwindling. At one time, there were 59 3G CDMA networks deployed around the world. As of now 49 have already shut down, and 5 of the remaining 10 are scheduled to shut down between now and 2025. The vulnerability described here relies on an attacker gaining physical access to the Praecis unit and, for example, uploading maliciously altered firmware that will send a response line of more than 100 bytes to an unpatched ntpd that is configured to get time from that serial connection using the Praecis driver, thus causing an overflow of an internal buffer.



Reported by Ping Lee (spwpun).


We apologize for the delay in issuing this report. We decided to take the time we needed to produce a thorough and comprehensive response in the face of the significant amount of materially incorrect information in the initial report and third party analysis of this issue.