CVE-2017-6462 — Improper Restriction of Operations within the Bounds of a Memory Buffer in NTP

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20 — Improper Input Validation CWE-121 — Stack-based Buffer Overflow13 documents9 sources

Severity

7.8HIGHNVD

OSV5.9OSV5.5

EPSS

0.1%

top 73.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Cairographics Cairo Debian NTP +1 more

Timeline

PublishedMar 27

Latest updateMay 14

Description

Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶debiandebian/ntp< ntp 1:4.2.8p10+dfsg-1 (bullseye)

▶Debianntp/ntp< 1:4.2.8p10+dfsg-1

▶Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11+1

▶Ubuntucairographics/cairo< 1.14.6-1ubuntu0.1~esm1

▶NVDntp/ntp95 versions+94

Patches

Patch: support.ntp.org ↗Patch: support.ntp.org ↗

🔴Vulnerability Details

GHSA

GHSA-hghp-pw5c-9v93: Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4↗2022-05-14

▶

OSV

cairo vulnerabilities↗2022-05-10

▶

OSV

ntp vulnerabilities↗2017-07-05

▶

OSV

CVE-2017-6462: Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4↗2017-03-27

▶

📋Vendor Advisories

Ubuntu

NTP vulnerabilities↗2019-01-23

▶

Apple

CVE-2017-6462: macOS High Sierra 10.13↗2017-09-25

▶

Ubuntu

NTP vulnerabilities↗2017-07-05

▶

BSD

FreeBSD-SA-17:03.ntp: Multiple vulnerabilities of ntp↗2017-04-12

▶

Red Hat

ntp: Buffer Overflow in DPTS Clock↗2017-03-21

▶

💬Community

Bugzilla

CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 ntp: various flaws [fedora-all]↗2017-03-23

▶

Bugzilla

CVE-2017-6462 ntp: Buffer Overflow in DPTS Clock↗2017-03-20

▶