The ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Note: the ability to use the saveconfig command is controlled by the 'restrict nomodify' directive, and the recommended default configuration is to disable this capability. If the ability to execute a 'saveconfig' is required, it can easily (and should) be limited and restricted to a known small number of IP addresses. Upstream patches: https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796 https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61
External References: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit http://www.talosintel.com/reports/TALOS-2016-0073/
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1300277]
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Mitigation: Use the 'restrict default nomodify' directive in ntp.conf to disable modification of ntp.conf via the ntpq command.