Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yeHB4LXZjbXEtNWY3Ms4AA9aa

Unlimited number of NTS-KE connections can crash ntpd-rs server

Summary

Missing limit for accepted NTS-KE connections allows an unauthenticated remote attacker to crash ntpd-rs when an NTS-KE server is configured. Non NTS-KE server configurations, such as the default ntpd-rs configuration, are unaffected.

Details

Operating systems have a limit for the number of open file descriptors (which includes sockets) in a single process, e.g. 1024 on Linux by default. When ntpd-rs is configured as an NTS server, it accepts TCP connections for the NTS-KE service. If the process has reached the descriptor limit and tries to accept a new TCP connection, the accept() system call will return with the EMFILE error and cause ntpd-rs to abort.

A remote attacker can open a large number of parallel TCP connections to the server to trigger this crash. The connections need to be opened quickly enough to avoid the key-exchange-timeout-ms timeout (by default 1000 milliseconds).

Impact

Only NTS-KE server configuration are affected. Those without an NTS-KE server configuration such as NTS client only or NTP only configuration are unaffected. For affected configurations the ntpd-rs daemon can made completely unavailable by crashing the service. If ntpd-rs is automatically restarted, an attacker can repeat the attack to prevent ntpd-rs from doing anything useful.

Workarounds

Permalink: https://github.com/advisories/GHSA-2xpx-vcmq-5f72
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeHB4LXZjbXEtNWY3Ms4AA9aa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 16 days ago
Updated: 13 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-2xpx-vcmq-5f72, CVE-2024-38528
References: Repository: https://github.com/pendulum-project/ntpd-rs
Blast Radius: 1.0

Affected Packages

cargo:ntpd
Dependent packages: 0
Dependent repositories: 0
Downloads: 11,972 total
Affected Version Ranges: >= 0.3.1, <= 1.1.2
Fixed in: 1.1.3
All affected versions: 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6, 0.3.7, 1.0.0, 1.1.0, 1.1.1, 1.1.2
All unaffected versions: 0.1.0, 0.1.1, 1.1.3, 1.2.0