Red Hat Bugzilla – Bug 1274258
CVE-2015-7850 ntp: remote configuration denial of service vulnerability
Last modified: 2016-05-09 21:53:50 EDT
The following flaw was found in ntpd:
An exploitable denial of service vulnerability exists in the remote configuration functionality of the Network Time Protocol. A specially crafted configuration file could cause an endless loop resulting in a denial of service. An attacker could provide a the malicious configuration file to trigger this vulnerability.
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1296167]
Closing this as notabug:
The issue relies on the fact that an attacker could provide a crafted config file that could cause ntpd loop infinitely. Fixing this one case does not prevent the attacker from pointing ntpd to the e.g. /dev/zero file, which would have the same effect. This issue is limited to users who are able to use the :config command.