NTP BUG 2920: Invalid length data provided by a custom refclock driver could cause a buffer overflow (original) (raw)
Last update: April 22, 2024 18:49 UTC (7e7bd5857)
Summary
Resolved | 4.2.8p4 | 21 Oct 2015 |
---|---|---|
References | Bug 2920 | CVE-2015-7853 |
Affects | Potentially all ntp-4 releases running up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 that have custom refclocks. | Resolved in 4.2.8p4. |
CVSS2 Score | 0.0 usual case, 5.9 unusual worst case | AV:L/AC:H/Au:M/C:C/I:C/A:C |
Description
A negative value for the datalen
parameter will overflow a data buffer. NTF’s ntpd
driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd
and that driver supplies a negative value for datalen
(no custom driver of even minimal competence would do this) then ntpd
would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd
the attacker could effect a code injection attack.
Mitigation
- Upgrade to 4.2.8p4 or later.
- If you are unable to upgrade:
- If you are running custom refclock drivers, make sure the signed
datalen
value is either zero or positive.
- If you are running custom refclock drivers, make sure the signed
- Monitor your
ntpd
instances.
Credit
This weakness was discovered by Yves Younan of Cisco Talos.
Timeline
- 2015 Oct 21: Public release
- 2015 Oct 6: Early Access Program Release: Premier and Partner Institutional Members
- 2015 Aug 26: Notification to Institutional Members for 1593, 1774, 2382, 2899, and 2902
- 2015 Aug 20: Initial notification of 2902; analysis begins
- 2015 Aug 11: Initial notification of 2899; analysis begins