NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2853 - Crafted remote config packet can crash some versions of ntpd.
Summary: Crafted remote config packet can crash some versions of ntpd.
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntp.conf parser (show other bugs)
Version: 4.2.8
Hardware: PC All
: P3 normal
Assignee: Harlan Stenn
URL:
Depends on:
Blocks:
 
Reported: 2015-06-18 20:51 UTC by Harlan Stenn
Modified: 2023-08-24 13:00 UTC (History)
7 users (show)

See Also:
stenn: blocking4.2.8+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2015-06-18 20:51:22 UTC
NUL in configuration directive causes a loop?
Comment 1 Harlan Stenn 2015-06-28 06:45:18 UTC
This bug was already fixed by Juergen Perlinger's fix for bug 2650,
which was included in 4.3.25 (released on 2015-05-01) and 4.2.8p3-RC1 (released 2015-05-12).

Even so, we'll be including some additional packet data validation checks.
Comment 2 Harlan Stenn 2015-06-29 01:37:40 UTC
FICORA #829967
Comment 3 Harlan Stenn 2015-06-29 01:41:00 UTC
This bug affects ntpd-4.2.5p3 until 4.2.8p3, or 4.3.0 until 4.3.25.
Comment 4 Harlan Stenn 2015-06-29 19:04:52 UTC
To summarize, if:

- remote configuration of ntpd is enabled (it's disabled by default),
- and an attacker knows the remote configuration password,
- and has access to a computer that is allowed to send remote configuration requests to ntpd,

the attacker can send a carefully-crafted packet to ntpd that will cause ntpd to crash.

The loophole that allowed this attack was closed in May of 2015.

We received this report in mid-June of 2015.