Talos Vulnerability Report

TALOS-2016-0075

Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability

January 19, 2016

Report IDs

CVE-2015-7978
CERT VU#357792

Summary

An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.

The following conditions must be met:

  1. Mode 7 must be enabled. By default, mode 7 is disabled.
  2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.

Expected Behavior:

The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.

The ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.

Actual Behavior:

The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.

Implications of the defect:

An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the “restrict source” mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.

Recommendations:

Use iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.

Tested Versions

ntp 4.2.8p3
NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92

Product URLs

http://www.ntp.org
http://www.ntpsec.org/

CVSS Score

CVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit

This defect was discovered by Stephen Gray of Cisco ASIG.

Timeline

2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release