CVE-2023-33192: Improper handling of NTS cookie length that could crash the ntpd-rs server

May 25, 2023 (updated May 30, 2023)

ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets.

ntpd-rs running purely as an ntp client is not affected.

References

github.com/advisories/GHSA-qwhm-h7v3-mrjx
github.com/pendulum-project/ntpd-rs
github.com/pendulum-project/ntpd-rs/pull/752
github.com/pendulum-project/ntpd-rs/releases/tag/v0.3.3
github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-qwhm-h7v3-mrjx
nvd.nist.gov/vuln/detail/CVE-2023-33192

Detect and mitigate CVE-2023-33192 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →