An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.
The following conditions must be met:
The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.
The ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.
The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.
An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the “restrict source” mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.
Use iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.
CVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C
CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release