A flaw was found in ntp before version 4.2.8p13. An authenticated attacker can cause ntpd to sigsegv by triggering a NULL pointer exception. Upstream issue: http://bugs.ntp.org/show_bug.cgi?id=3565 Upstream patch: http://bk.ntp.org/ntp-stable/ntpd/ntp_control.c?PAGE=diffs&REV=5c8106e7wWtXdh0lzg1ytlWribBTcQ References: https://gitlab.com/NTPsec/ntpsec/issues/509
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1686606]
Although the RHEL7 version is missing the NULL checks added in this patch, it does not crash with the POC provided. It seems like this was introduced in later versions due to changes in the ctl_getitem() function in ntpd/ntp_control.c, which are not yet part of the RHEL7 version.
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7.
ntp-4.2.8p13-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.8p13-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.8p13-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.