Lucene search

Talos IntelligenceTALOS-2015-0064

HistoryOct 21, 2015 - 12:00 a.m.

Network Time Protocol Reference Clock Memory Corruption Vulnerability

2015-10-2100:00:00

Talos Intelligence

www.talosintelligence.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.073 Low

EPSS

Percentile

94.0%

JSON

Talos Vulnerability Report

TALOS-2015-0064

Network Time Protocol Reference Clock Memory Corruption Vulnerability

October 21, 2015

CVE Number

CVE-2015-7853

Description

A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability.

Tested Versions

ntp 4.2.8p2

Product URLs

<http://www.ntp.org>

Details

At line 3233 in ntp_io.c, a size check is performed to ensure that the length provided isn’t greater than the space available in the buffer that is being written to.

3233	i = (rp-&gt;datalen == 0
3234	|| rp-&gt;datalen &gt; (int)sizeof(rb-&gt;recv_space))
3235	? (int)sizeof(rb-&gt;recv_space)
3236	: rp-&gt;datalen;
3237	do {
3238		buflen = read(fd, (char *)&rb-&gt;recv_space, (u_int)i);
3239	} while (buflen &lt; 0 && EINTR == errno);

However, the size is performed by casting the size of the buffer to an integer type and doing an integer comparison. This means that if datalen is negative, then i will be assigned a negative value, resulting in a buffer overflow when it is used as an argument to read at line 3238.