Talos Vulnerability Report
Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability
January 19, 2016
An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.
The following conditions must be met:
- Mode 7 must be enabled. By default, mode 7 is disabled.
- A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.
The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.
The ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.
The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.
Implications of the defect:
An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the “restrict source” mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.
Use iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.
CVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
This defect was discovered by Stephen Gray of Cisco ASIG.
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release