Supposedly RCE in ntp 4.2.8p15

There were several CVE issued for ntp 4.2.8p15:
CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554, CVE-2023-26555

As of now I don’t find any discussion about the impact (or if it’s remotely executable at all).
The archive at list.ntp.org are a mess (partially empty). ntpsec doesn’t seem to be affected…

The first four CVEs refer to the function mstolfp(), which is defined in libntp/mstolfp.c (not existing in ntpsec!), but is not called by ntpd itself (not even indirectly), but only by the command line tool ntpq, for formatting the output, if I see it correctly. I think a remote attack on a running ntpd is impossible, at most a malicious server can use it to attack a user calling ntpq.

The last CVE should have even less relevance for the general public, because the bug is in the driver for a certain GPS receiver. So only those who have such a receiver can be attacked, and then probably only via a manipulated firmware in the receiver.

4 Likes

And, for unauthenticated protocols, the network between a client and a server.

1 Like

The discussion in ntpd is not vulnerable · Issue #1 · spwpun/ntp-4.2.8p15-cves · GitHub is informative.

3 Likes

Statement from Meinberg:

3 Likes