Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yeHB4LXZjbXEtNWY3Ms4AA9aa
Unlimited number of NTS-KE connections can crash ntpd-rs server
Summary
Missing limit for accepted NTS-KE connections allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such as the default ntpd-rs configuration, are unaffected.
Details
Operating systems have a limit for the number of open file descriptors (which includes sockets) in a single process, e.g. 1024 on Linux by default. When ntpd-rs is configured as an NTS server, it accepts TCP connections for the NTS-KE service. If the process has reached the descriptor limit and tries to accept a new TCP connection, the accept() system call will return with the EMFILE error and cause ntpd-rs to abort.
A remote attacker can open a large number of parallel TCP connections to the server to trigger this crash. The connections need to be opened quickly enough to avoid the key-exchange-timeout-ms timeout (by default 1000 milliseconds).
Impact
Only NTS-KE server configuration are affected. Those without an NTS-KE server configuration such as NTS client only or NTP only configuration are unaffected. For affected configurations the ntpd-rs daemon can made completely unavailable by crashing the service. If ntpd-rs is automatically restarted, an attacker can repeat the attack to prevent ntpd-rs from doing anything useful.
Workarounds
- Disable NTS-KE server functionality
- Increase system resource limits (
RLIMIT_NOFILE) to make the attack more difficult - Lower the
key-exchange-timeout-msconfiguration setting to make the attack more difficult
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeHB4LXZjbXEtNWY3Ms4AA9aa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 2 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-2xpx-vcmq-5f72, CVE-2024-38528
References:
- https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-2xpx-vcmq-5f72
- https://github.com/pendulum-project/ntpd-rs/commit/6049687006ea5b26eeac927964b5fcc80d7bde50
- https://nvd.nist.gov/vuln/detail/CVE-2024-38528
- https://github.com/advisories/GHSA-2xpx-vcmq-5f72
Blast Radius: 1.0
Affected Packages
cargo:ntpd
Dependent packages: 0Dependent repositories: 0
Downloads: 19,098 total
Affected Version Ranges: >= 0.3.1, <= 1.1.2
Fixed in: 1.1.3
All affected versions: 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.1.0, 1.1.1, 1.1.2
All unaffected versions: 0.1.0, 0.1.1, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0