Bug 1434005 – CVE-2017-6458 ntp: Potential Overflows in ctl_put() functions

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1434005 - (CVE-2017-6458) CVE-2017-6458 ntp: Potential Overflows in ctl_put() functions

Summary:	CVE-2017-6458 ntp: Potential Overflows in ctl_put() functions

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-6458

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20170321,reported=2...
Keywords:	Security

Depends On:	1435163
Blocks:	1434021
	Show dependency tree / graph

Reported:	2017-03-20 10:15 EDT by Adam Mariš
Modified:	2017-03-30 02:08 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	ntp 4.2.8p10, ntp 4.3.94
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-03-30 02:08:16 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-03-20 10:15:30 EDT

ntpd makes use of different wrappers around ctl_putdata() to create name/value ntpq (mode 6) response strings. For example, ctl_putstr() is usually used to send string data (variable names or string data).  The formatting code was missing a length check for variable names. If somebody explicitly created any unusually long variable names in ntpd (longer than 200-512 bytes, depending on the type of variable), then if any of these variables are added to the response list it would overflow a buffer.

Mitigation:

Implement BCP-38.

If you don't want to upgrade, then don't setvar variable names longer than 200-512 bytes in your ntp.conf file.

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Comment 1 Adam Mariš 2017-03-20 10:15:36 EDT

Acknowledgments:

Name: the NTP project
Upstream: Cure53

Comment 5 Adam Mariš 2017-03-23 06:08:41 EDT

Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1435163]

Comment 7 Doran Moppert 2017-03-30 01:59:42 EDT

Statement:

The security assessment from cure53 clarifies that this issue (identified as NTP-01-0004) is not a vulnerability per se, but a weakness in ntp's internal coding style that may cause a vulnerability if particularly long variable names are defined at compile time. No such variable names are defined in upstream source code, nor in Fedora or Red Hat Enterprise Linux versions of ntp.

Note You need to log in before you can comment on or make changes to this bug.