Bug 1434014 – CVE-2017-6460 ntp: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1434014 - (CVE-2017-6460) CVE-2017-6460 ntp: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd

Summary:	CVE-2017-6460 ntp: Buffer Overflow in ntpq when fetching reslist from a malic...

Status:	CLOSED NOTABUG

Aliases:	CVE-2017-6460

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170321,repor...
Keywords:	Security

Depends On:
Blocks:	1434021
	Show dependency tree / graph

Reported:	2017-03-20 10:35 EDT by Adam Mariš
Modified:	2017-03-30 02:06 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	ntp 4.2.8p10, ntp 4.3.94
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in NTP, in the ntpq program. A malicious server could send a specially crafted response which would cause a stack buffer overflow, leading to a crash or potential code execution.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-03-30 02:06:19 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-03-20 10:35:49 EDT

A stack buffer overflow in ntpq can be triggered by a malicious ntpd server when ntpq requests the restriction list from the server. This is due to a missing length check in the reslist() function. It occurs whenever the function parses the server's response and encounters a flagstr variable of an excessive length. The string will be copied into a fixed-size buffer, leading to an overflow on the function's stack-frame. Note well that this problem requires a malicious server, and affects ntpq, not ntpd.

Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.

Comment 1 Adam Mariš 2017-03-20 10:35:54 EDT

Acknowledgments:

Name: the NTP project
Upstream: Cure53

Comment 4 Adam Mariš 2017-03-23 06:08:59 EDT

Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1435163]

Comment 5 Doran Moppert 2017-03-30 02:05:52 EDT

This flaw affects the mode6 reslist command, which is not supported by ntp-4.2.6p5 or earlier in Red Hat Enterprise Linux or Fedora <= 25.

Note You need to log in before you can comment on or make changes to this bug.