A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function:
The loop's only stopping conditions are receiving a complete and correct response or hitting a small number of error conditions. If the packet contains incorrect values that don't trigger one of the error conditions, the loop continues to receive new packets.
A remote attacker could potentially use this flaw to crash an ntpq client instance. This attack requires the attacker to do one of the following:
* Own a malicious NTP server that the client trusts
* Prevent a legitimate NTP server from sending packets to the 'ntpq' client
* MITM the 'ntpq' communications between the 'ntpq' client and the NTP server
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1300277]
Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
ntp-4.2.6p5-36.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-36.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2583 https://rhn.redhat.com/errata/RHSA-2016-2583.html